­Forwarding CSV file to Indexer with Header in  Splunk

Hi guys!!

Today, we will show you how to send CSV file with header information.We all know that how to send a file from UF to INDEXER. But today we will learn new and interesting things. That is, how to send a csv file with header into indexer.

Suppose we will monitor a CSV file. This file contains any type of information like in company Employee’s related data. Then at the top the field names are there, this is called header.

In this Situation  When the file  stores in Indexer then the headers will go in Field Names and rest of the data will go as field value with respect to the  Header. 

See below we have given a sample data.

Name,Age,City
Arihant,23,Bishnupur
Ayen,24,Medinipur
Salim,24,Ranchi
Khusbu,22,Kharagpuir

This data is saved in a file and the file name is headerfile.txt in /tmp directory.

Here, you will see that the first line means Name, Age, City are the headers. So when it stores in indexer the field names will be Name, Age, City respectively.

Follow the steps given below .

Step 1:

First of all set the inputs.conf in UF and here add the sourcetype and index name.

[monitor:///tmp/headerfile.txt]
index=headerfile
 sourcetype=header

Step 2:

Add the outputs.conf in same server. Here we add the IP Address where the data will be go.

[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.128.0.2:9997
[tcpout-server://10.128.0.2:9997]

Step 3:

Then we add props.conf and add the attributes which will perform the task.

 [header]
SHOULD_LINEMERGE = false
FIELD_DELIMITER=,
HEADER_FIELD_DELIMITER=,
 FIELD_QUOTE="

In the above lines, the header is the  sourcetype  which will be define in inputs.conf.

The field values are separated by comma so FIELD_DELIMITER=, is used. The header means the field names are separated by the comma so HEADER_FIELD_DELIMITER=, is used. The field names and field values are extracted but will not assign. So assigning the values of it’s field we will use FIELD_QUOTE=” .

NOTE : The props.conf will be described in the same server(UF) where the inputs.conf and outputs.conf will be declared. Otherwise it will not work.

Step 4:

Then run the query index=”headerfile” , your data will be come and values are assign with fields respectively.

See all the headers have become field names.

Hope, this has helped you in achieving the below requirement without fail:

Forwarding CSV file to Indexer with Header in  Splunk

 

Happy Splunking  !!

Advertisements