On This Page

Home / Stream/ Working with Data/ Event Data Structure and Flow/ Event Breaker Types/CSV Event Breaker

CSV Event Breaker

The CSV Event Breaker can take in Comma Separated Value (CSV) data streams and automatically extract fields. It can process structured, tabular data where a header row defines the field names for all subsequent rows.

Use this Event Breaker:

  • Whenever you are ingesting data that adheres to the CSV standard.
  • For output from databases, financial logs, spreadsheets, or network device reports. The Event Breaker handles row delineation, field extraction, and quoting rules for this type of data.

See Event Breakers for general information about event breakers.

Settings

Selecting the CSV Event Breaker type exposes these additional settings:

  • Delimiter: The character used to separate or split individual field values within a row. For standard CSV, the default is a comma (,). Change the delimiter for TSV (Tab Separated Values) or when dealing with logs that use a pipe (|) or semicolon (;) as a separator. Defaults to ,.

  • Quote Char: The character used to enclose and protect field values that contain the delimiter character itself. For example, if a field is "10,000", the quotes tell the breaker that the comma is part of the value, not a separator. Defaults to ".

  • Escape Char: The character used to indicate that the next character should be treated literally. It is often used to escape the Quote Char itself within a quoted field. For example, to include a literal double-quote inside a quoted field, you might use an escape character: "He said, ""Hello."" Defaults to ".

Configuration Example

The following is an example of data input before the CSV Event Breaker processes it:

Example raw input - CSV format
time,host,source,model,serial,bytes_in,bytes_out,cpu
1611768713,"myHost1","anet","cisco","ASN4204269",11430,43322,0.78
1611768714,"myHost2","anet","cisco","ASN420423",345062,143433,0.28

Output

The CSV Event Breaker treats the first line of the input as the header row and automatically extracts those names as event fields for all subsequent rows. It will also properly add quotes around all values in the _raw field of the output events, regardless of their initial state.

From the example raw data, the CSV Event Breaker would generate two output events:

Example CSV Output as JSON
{
  "_raw": "\"1611768713\",\"myHost1\",\"anet\",\"cisco\",\"ASN4204269\",\"11430\",\"43322\",\"0.78\"",
  "time": "1611768713",
  "host": "myHost1",
  "source": "anet",
  "model": "cisco",
  "serial": "ASN4204269",
  "bytes_in": "11430",
  "bytes_out": "43322",
  "cpu": "0.78",
  "_time": 1611768713
}
{
  "_raw": "\"1611768714\",\"myHost2\",\"anet\",\"cisco\",\"ASN420423\",\"345062\",\"143433\",\"0.28\"",
  "time": "1611768714",
  "host": "myHost2",
  "source": "anet",
  "model": "cisco",
  "serial": "ASN420423",
  "bytes_in": "345062",
  "bytes_out": "143433",
  "cpu": "0.28",
  "_time": 1611768714
}