https://community.splunk.com/t5/Splunk-Enterprise/Splunk-doesn-t-index-csv-at-all/m-p/602274#M12888 <P>Solved. by myself&nbsp;</P><P>I've to set TIME_PREFIX in props.conf to instruct that the timestamp is the second field and not the first.</P><P>It's nice to note that the problem there is now that I've some object that has the ID similiar to a UNIX TIMESTAMP.&nbsp;</P><P>&nbsp;</P><P>Closed</P> Fri, 17 Jun 2022 17:44:21 GMT fabrizioalleva 2022-06-17T17:44:21Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-doesn-t-index-csv-at-all/m-p/602252#M12884 <P>Hi all,</P><P>I'm working on a deploy with Universal Forwader, Heavy Forwarder and Indexer Cluster and Search Cluster.</P><P>The problem is this:</P><P>I'm indexing data from different csv since long time. For the first time yesterday I realized that not all the raw of my csv files are indexed at all.&nbsp;</P><P>For example:</P><P>In a csv I count 24k rows and when I perform a stats count on the index I see only 16/17k rows.</P><P>Each file rotates every minutes.&nbsp;</P><P>In the log there's anything that leads to an error.</P><P>In the UNIVERSAL FORWARDE I've this in <STRONG>inputs.conf</STRONG></P><P>[batch:///var/opt/OV/shared/perfSpi/datafiles/metric/final/F5_ResurcesGroup*]<BR />disabled = 0<BR />index = f5_metrics<BR />sourcetype = f5_metrics<BR />initCrcLength = 100000<BR />move_policy = sinkhole</P><P>In the HEAVY FORWARDER:</P><P><STRONG>props.conf</STRONG></P><P>[f5_metrics]<BR />INDEXED_EXTRACTIONS = CSV<BR />HEADER_FIELD_LINE_NUMBER=1<BR />HEADER_FIELD_DELIMITER =,<BR />FIELD_DELIMITER=,<BR />HEADER_FIELD_LINE_NUMBER = 0<BR />SEDCMD-dropheader = s/^"Node.+//g<BR />SEDCMD-select_fields = s/([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)/\1,\2,\4,\5,\9,\17,\18/g<BR />#SEDCMD-select_fields = s/([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)/\1,\4,\5,\9,\17,\18/g<BR />TRANSFORMS-f5_fields_name_extract=f5_fields_name_extract</P><P>and in the <STRONG>transform.conf</STRONG>&nbsp;</P><P>[f5_fields_name_extract]<BR />REGEX=([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)<BR />FORMAT=NodeID::$1 TimeStamp::$2 period_length::$3 ltmVirtualServStatClientCurConns::$4 ltmVirtualServStatVsUsageRatio1m::$5 DisplayAttribute::$6 PollingInterval::$7<BR />#FORMAT=NodeID::$1 period_length::$2 ltmVirtualServStatClientCurConns::$3 ltmVirtualServStatVsUsageRatio1m::$4 DisplayAttribute::$5 PollingInterval::$6<BR />WRITE_META = true</P><P>Any suggestion ?</P><P>Thanks Fabrizio</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 17 Jun 2022 14:25:43 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-doesn-t-index-csv-at-all/m-p/602252#M12884 fabrizioalleva 2022-06-17T14:25:43Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-doesn-t-index-csv-at-all/m-p/602274#M12888 <P>Solved. by myself&nbsp;</P><P>I've to set TIME_PREFIX in props.conf to instruct that the timestamp is the second field and not the first.</P><P>It's nice to note that the problem there is now that I've some object that has the ID similiar to a UNIX TIMESTAMP.&nbsp;</P><P>&nbsp;</P><P>Closed</P> Fri, 17 Jun 2022 17:44:21 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-doesn-t-index-csv-at-all/m-p/602274#M12888 fabrizioalleva 2022-06-17T17:44:21Z