CSV File being ingested and the headers are not showing up as fields
Quick question :I have ingested a CSV file through Cribl into Splunk and the headers from the first line are not showing up as fields in the output .Any idea ? Thanks
Answers
-
how is the event breaker configured in Cribl?
0 -
and what are you trying to do with the data? Pass it through to Splunk as CSV? With headers? Or parse it in flight and send to splunk as K=V or JSON?
0 -
If you're using the default event breaker (fallback) on the source, the CSV field data is going to get parsed into a separate event and not used as field names. You'll want to attach the CSV breaker (or custom one for handling CSV data) to your source.
0 -
If you want to dive deeper into event breaking, we have a Sandbox for this: https://sandbox.cribl.io/course/event-breaking
0 -
In fact, <@ULBGHDPNY> also put together an awesome video on Event Breaking too. This link will take you right to the section on CSV breakers https://youtu.be/kh6rTvw3tCU?t=394
0
