Forwarding CSV file to Indexer without Header in Splunk

Forwarding CSV file to Indexer without Header in Splunk

Hi guys !!

Today, we will show you how to send CSV file..

We all know that how to send a file from UF to INDEXER. But Today we will learn new and interesting things. That is, how to send a csv file into indexer.

Suppose we will monitor a csv  file. This file contains any type of information like in company Employee’s related data. Then at the top ,the field names are there, this is called header.

In this Situation , before the file stores in Indexer , field names should be declared.

Suppose this is the sample file –

Arihant,23,Kolkata
Salim,25,Ranchi
Khusbu,22,kharagpur
Saroda,21,Behala

This data is saved in a file and the file name is csvfile.txt in /tmp directory.

In this file 3 line are there. First to last are Name,Age,City. Before indexing the data will be assigned as respectively.

Follow the steps given below .

Step 1:

First of all set the inputs.conf in UF and here add the sourcetype and index name.

[monitor:///tmp/csvfile.txt]
index=csvfile
 sourcetype=csv

Step 2:

Add the outputs.conf in same server. Here we add the IP Address where the data will be go.

 [tcpout]
 defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.128.0.2:9997
[tcpout-server://10.128.0.2:9997]

Step 3:

Then we add props.conf in the Indexer and add the Attributes which will perform the task.

[csv]
SHOULD_LINEMERGE=FALSE
REPORT-main=ccc

Here we use two attributes. First one  SHOULD_LINEMERGE=FALSE   ,it breaks the lines as per event basis. Here main is the class name and ccc is used in transforms.conf.

Step 4:

then we will add transforms.conf in the Indexer and add the  Attributes which will perform the task.

[ccc]
DELIMS=","
FIELDS=Name,Age,City

Here ccc is the stanza name which is defined in props.conf. Second one is DELIMS=”,” . It is delimiter means by which the values are separated.Third one is FIELDS=Name,Age,City ,here we defined the field names respectively.

 

NOTE: The props.conf and transforms.conf will be described in the indexer. Otherwise it will not work.

Step 5:

You run the query index=”csvfile” and then you will see the value.

See all the fields have been created.

Hope, this has helped you in achieving the below requirement without fail:

Forwarding CSV file to Indexer without Header in  Splunk

 

Happy Splunking  !!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.