Quick question :I have ingested a CSV file through Cribl into Splunk and the headers from the first line are not showing up as fields in the output .Any idea ? Thanks
Page 1 / 1
how is the event breaker configured in Cribl?
and what are you trying to do with the data? Pass it through to Splunk as CSV? With headers? Or parse it in flight and send to splunk as K=V or JSON?
If you're using the default event breaker (fallback) on the source, the CSV field data is going to get parsed into a separate event and not used as field names. You'll want to attach the CSV breaker (or custom one for handling CSV data) to your source.
If you want to dive deeper into event breaking, we have a Sandbox for this: https://sandbox.cribl.io/course/event-breaking
In fact, <@ULBGHDPNY> also put together an awesome video on Event Breaking too. This link will take you right to the section on CSV breakers https://youtu.be/kh6rTvw3tCU?t=394
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.