The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkAdministration: CSV files with headers.

Previous Topic: Old Versions Moved?  |   Next Topic: Splunk to monitor a directory size change(fschange)


Posts 1–2 of 2
1
posted by: rcrongeyer  |  posts
date: June 5, 2009
permalink
Hello list users!
I'm trying to get NetFlow data collected from Argus that I want to get into Splunk.
I'm taking the Argus data and using ra to generate an ASCII output file as a csv (coma seperated) with a header row at the top that looks like this:
the files we are generating look like this:

Host,Region,StartTime,LastTime,Trans,Dur,Proto,SrcAddr,Sport,DstAddr,Dport,SrcBytes,DstBytes,SrcPkts,DstPkts,pSrcLoss,pDstLoss,SrcRate,DstRate,TcpRtt(Sec),State
NIDS-03,US,06/04/09 02:59:57.01,06/04/09 03:00:02.01,1,5.00,6,16.1.26.245,41368,19.7.8.6,80,667638,0,10096,0,0.00,0.00,2019.27,0.00,0.00,PA_
NIDS-03,US,06/04/09 02:59:56.86,06/04/09 02:59:57.18,1,0.32,17,19.7.8.3,44225,202.56.230.6,53,198,512,2,2,0.00,0.00,333333.32,90909.09,0.00,CON

The machine that has this data is setup as a Splunk forwarder and I have the inputs.conf on this forwarder set up like so:

[batch:///data/argus-splunk]
move_policy = sinkhole
disabled = false
host = 06
host_segment = 05
sourcetype = netflow

When I copy this file into that directory Splunk reads it and forwards it to to the Splunk server and a net sourcetype shows up on the server "netflow".

However Splunk cannot match the headers (Host,Region,StartTime,LastTime etc) with the columns?

Has someone done this befor that can help me with this?

Thanks,
Ralph

2
posted by: araitz  |  posts
date: June 8, 2009
permalink

Put this in props.conf:


[netflow]
REPORT-foobar=argus_extractions

Put this in transforms.conf:


[argus_extractions]
DELIMS=","
FIELDS="Host","Region","StartTime","LastTime","Trans","Dur","Proto,SrcAddr","Sport","DstAddr","Dport","SrcBytes","DstBytes","SrcPkts","DstPkts","pSrcLoss","pDstLoss","SrcRate","DstRate","TcpRtt(Sec)","State"

Then restart Splunk. You will then be able to select these fields from the fields picker.