I was wondering if anyone knows about the next, and if there’s any solution:
I have tried to calculate two fields at index time when indexing a CSV (a monitored one) following the documentation. I achieved my objective having:
**/opt/splunk/import/sftp/mbr/FILE_NAME.CSV**
Header1,Header2,Header3
Field1,Field2,Field3
`
**INPUTS.CONF**
[monitor:///opt/splunk/import/sftp/mbr/FILE_NAME.csv]
index = my_index
disabled = 0
crcSalt =
sourcetype = my_sourcetype
**PROPS.CONF:**
[my_sourcetype]
CHARSET = ISO-8859-1
TZ = America/Sao_Paulo
TIME_FORMAT=%s
TIMESTAMP_FIELDS = Header1
MAX_TIMESTAMP_LOOKAHEAD=10
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = true
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
TRANSFORMS-company = company_transform
**TRANSFORMS.CONF:**
[company_transform]
REGEX = .*FILE_NAME.*
FORMAT = company::"100" companydesc::"MY COMPANY"
SOURCE_KEY = MetaData:Source
WRITE_META = true
*If FILE_NAME in source field, then index those fields
**FIELDS.CONF**
[company]
INDEXED = True
[companydesc]
INDEXED = True
* I have seen that this is not necessary (without it everything works fine)
When indexed, I can see ‘company’ and ‘companydesc’ fields indexed and searchable.
The problem comes when the CSV has every field between quotes "fieldN" (to avoid conflicts with text fields that already contains quotes):
**/opt/splunk/import/sftp/mbr/FILE_NAME.CSV**
"Header1","Header2","Header3"
"Field1", "Field2", "Field3"
When indexing this file, TRANSFORMS-company = company_transform stops working.
Do you know what’s happening?
Many thanks in advance.
Kind Regards
↧