CSV files with headers.

araitz — Mon, 08 Jun 2009 08:58:51 PDT

Put this in props.conf:


[netflow]
REPORT-foobar=argus_extractions

Put this in transforms.conf:


[argus_extractions]
DELIMS=","
FIELDS="Host","Region","StartTime","LastTime","Trans","Dur","Proto,SrcAddr","Sport","DstAddr","Dport","SrcBytes","DstBytes","SrcPkts","DstPkts","pSrcLoss","pDstLoss","SrcRate","DstRate","TcpRtt(Sec)","State"

Then restart Splunk. You will then be able to select these fields from the fields picker.

CSV files with headers.

rcrongeyer — Fri, 05 Jun 2009 11:55:00 PDT

Hello list users!
I'm trying to get NetFlow data collected from Argus that I want to get into Splunk.
I'm taking the Argus data and using ra to generate an ASCII output file as a csv (coma seperated) with a header row at the top that looks like this:
the files we are generating look like this:

Host,Region,StartTime,LastTime,Trans,Dur,Proto,SrcAddr,Sport,DstAddr,Dport,SrcBytes,DstBytes,SrcPkts,DstPkts,pSrcLoss,pDstLoss,SrcRate,DstRate,TcpRtt(Sec),State
NIDS-03,US,06/04/09 02:59:57.01,06/04/09 03:00:02.01,1,5.00,6,16.1.26.245,41368,19.7.8.6,80,667638,0,10096,0,0.00,0.00,2019.27,0.00,0.00,PA_
NIDS-03,US,06/04/09 02:59:56.86,06/04/09 02:59:57.18,1,0.32,17,19.7.8.3,44225,202.56.230.6,53,198,512,2,2,0.00,0.00,333333.32,90909.09,0.00,CON

The machine that has this data is setup as a Splunk forwarder and I have the inputs.conf on this forwarder set up like so:

[batch:///data/argus-splunk]
move_policy = sinkhole
disabled = false
host = 06
host_segment = 05
sourcetype = netflow

When I copy this file into that directory Splunk reads it and forwards it to to the Splunk server and a net sourcetype shows up on the server "netflow".

However Splunk cannot match the headers (Host,Region,StartTime,LastTime etc) with the columns?

Has someone done this befor that can help me with this?

Thanks,
Ralph

Splunk Base : SplunkAdministration : #2828

CSV files with headers.

CSV files with headers.