Refine your search:

Field Extraction do not work when using the UPLOAD method

0

Customer's issue was actually that for csv files, when setting the CHECK_FOR_HEADER=TRUE in props.conf and when uploading the file using the one time upload button through splunkweb, no automatic field extraction would happen.

I was able to reproduce this in my environment but the issue seems to go even further. When using props.conf to extract fields (at index time, this is no longer a csv-header issue) and then uploading a file, no field extractions happen at all.

Is this the default behavior? Is there any documentation about it?
Is it a bug?

asked 08 Jul '10, 18:21

Genti's gravatar image

Genti ♦
3.5k120
accept rate: 37%

2 Answers:
oldestnewestmost voted
0

Asking the dev's we understand that this is not the default behavior and that something is clearly broken in the code.
The workaround, till this gets fixed, would be not to use file uploading as a means to bring data to splunk if you care for field extractions. If you use regular monitoring stanza, both index-time field extractions as well as header-checking field extractions happen without any issues.

Cheers,
.gz

link

answered 08 Jul '10, 18:23

Genti's gravatar image

Genti ♦
3.5k120
accept rate: 37%

0

Another workaround here is to continue to use file uploads, but manually configure the delimiter based extraction for the source or sourcetype. It should be noted that CHECK_FOR_HEADER doesn't perform any magic beyond setting a per-sourcetype search-time field extraction rule. This is easy to achieve for a person after indexing the data. The documentation at http://www.splunk.com/base/Documentation/latest/Admin/Extractfieldsfromfileheadersatindextime shows the configuration that CHECK_FOR_HEADER makes when a new input comes in.

link

answered 19 Aug '10, 20:32

Stephen%20Sorkin's gravatar image

Stephen Sorkin ♦
7.1k47
accept rate: 52%

In many live environments, this is necessary anyway, as CHECK_FOR_HEADER doesn't work if files are collected by a forwarder and sent to an indexer, or if you have a distributed search head separate from your indexer or forwarder.

(19 Aug '10, 22:03) gkanapathy ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×514
×83
×27
×13

Asked: 08 Jul '10, 18:21

Seen: 653 times

Last updated: 19 Aug '10, 20:32

Related questions

After upgrade to splunk 4.1, I try to access the field extractions page in manager, and it doesn't work.

Adding a field extraction causes other fields to disappear

how to ignore the titile line of the csv file in the result? and display in a KV format?

CSV files with variable fields

Custom Field Extractions not visible in search head...

Quotes in CSV-formatted events

step by step, adding a new csv datasource

Zimbra monitoring with Splunk

Combining ASA/FWSM Field Extractions App with Splunk for Cisco Firewalls App

space-delimited txt file import

Copyright © 2005-2012 Splunk, Inc. All rights reserved.