https://community.splunk.com/t5/Getting-Data-In/Issues-with-csv-Splunk-File-Monitoring/m-p/747798#M118808 <P>Hi Splunkers, a colleague team si facing some issues related to .csv file collection. Let me share&nbsp; the required context.</P><P>We have a .csv file that is sent to a sftp server. The sending is 1 per day: this means that every day, the file is write once and never modified. In addiction to this, even if the file is a csv one, it has a .log extension.</P><P>On this server, the Splunk UF is installed and configured to read this daily file.</P><P>What currently happen is the following:</P><OL><LI>The file is read many time: multiple occurrence of error message like:&nbsp;<P><STRONG>INFO&nbsp; WatchedFile [23227 tailreader0] - File too small to check seekcrc, probably truncated.&nbsp; Will re-read entire file=&lt;file name here&gt;</STRONG> can be got from internal logs</P></LI><LI><P>&nbsp;</P><P><SPAN>The csv header is viewed like an event. This means that, for example, the file contains 1000 events, performing a search in assigned index we have 1000 + x&nbsp; events; each of this x events does not contains real events, but the csv header file. So, we see the header as an event/logs.</SPAN></P></LI></OL><P><SPAN>For the first problem, I suggested to my team to use the&nbsp;<STRONG>initCrcLength</STRONG> parameter, properly set.<BR />For the second one, I shared them to ensure that following parameter are set:</SPAN></P><LI-CODE lang="markup">INDEXED_EXTRACTIONS = csv HEADER_FIELD_LINE_NUMBER = 1 CHECK_FOR_HEADER = true </LI-CODE><P>In addition to this, I suggested them to avoid the default line breaker; in the inputs.conf file is set the following one:</P><LI-CODE lang="markup"> LINE_BREAKER = ([\r\n]+)</LI-CODE><P>That could be the root cause/one of the cause of header extraction as events.</P><P>I don't know if those changes has fixed the events (they are still performing required restarts), but I would ask you if any other possible fix should be applied.</P><P>Thanks!</P> Wed, 11 Jun 2025 09:26:37 GMT SplunkExplorer 2025-06-11T09:26:37Z https://community.splunk.com/t5/Getting-Data-In/Issues-with-csv-Splunk-File-Monitoring/m-p/747798#M118808 <P>Hi Splunkers, a colleague team si facing some issues related to .csv file collection. Let me share&nbsp; the required context.</P><P>We have a .csv file that is sent to a sftp server. The sending is 1 per day: this means that every day, the file is write once and never modified. In addiction to this, even if the file is a csv one, it has a .log extension.</P><P>On this server, the Splunk UF is installed and configured to read this daily file.</P><P>What currently happen is the following:</P><OL><LI>The file is read many time: multiple occurrence of error message like:&nbsp;<P><STRONG>INFO&nbsp; WatchedFile [23227 tailreader0] - File too small to check seekcrc, probably truncated.&nbsp; Will re-read entire file=&lt;file name here&gt;</STRONG> can be got from internal logs</P></LI><LI><P>&nbsp;</P><P><SPAN>The csv header is viewed like an event. This means that, for example, the file contains 1000 events, performing a search in assigned index we have 1000 + x&nbsp; events; each of this x events does not contains real events, but the csv header file. So, we see the header as an event/logs.</SPAN></P></LI></OL><P><SPAN>For the first problem, I suggested to my team to use the&nbsp;<STRONG>initCrcLength</STRONG> parameter, properly set.<BR />For the second one, I shared them to ensure that following parameter are set:</SPAN></P><LI-CODE lang="markup">INDEXED_EXTRACTIONS = csv HEADER_FIELD_LINE_NUMBER = 1 CHECK_FOR_HEADER = true </LI-CODE><P>In addition to this, I suggested them to avoid the default line breaker; in the inputs.conf file is set the following one:</P><LI-CODE lang="markup"> LINE_BREAKER = ([\r\n]+)</LI-CODE><P>That could be the root cause/one of the cause of header extraction as events.</P><P>I don't know if those changes has fixed the events (they are still performing required restarts), but I would ask you if any other possible fix should be applied.</P><P>Thanks!</P> Wed, 11 Jun 2025 09:26:37 GMT https://community.splunk.com/t5/Getting-Data-In/Issues-with-csv-Splunk-File-Monitoring/m-p/747798#M118808 SplunkExplorer 2025-06-11T09:26:37Z https://community.splunk.com/t5/Getting-Data-In/Issues-with-csv-Splunk-File-Monitoring/m-p/747803#M118809 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249714">@SplunkExplorer</a>&nbsp;</P><P>I think the message about re-reading the file shouldnt be an issue in your case.</P><P>You mentioned setting LINE_BREAKER in inputs.conf, however this should be in props.conf - having said that - I think the default should be sufficient for your CSV file.</P><P>If you set&nbsp;HEADER_FIELD_LINE_NUMBER=0 (default) do you get the same results?</P><P>What does the first line with the headers look like, is it a typical comma (,) separated list of headers? No quotes, spaces,tabs etc etc? If so the default&nbsp;FIELD_DELIMITER should suffice but want to check.</P><P>I'm not 100% sure I follow what you mean about the headers, do you mean that for each event you also see the header printed?</P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Wed, 11 Jun 2025 10:36:40 GMT https://community.splunk.com/t5/Getting-Data-In/Issues-with-csv-Splunk-File-Monitoring/m-p/747803#M118809 livehybrid 2025-06-11T10:36:40Z https://community.splunk.com/t5/Getting-Data-In/Issues-with-csv-Splunk-File-Monitoring/m-p/747828#M118810 Can you show current inputs.conf and props.conf stanzas for this CSV file?<BR />And example (modified) from 1st 2 lines (header + real masked events) from that file? Wed, 11 Jun 2025 15:50:51 GMT https://community.splunk.com/t5/Getting-Data-In/Issues-with-csv-Splunk-File-Monitoring/m-p/747828#M118810 isoutamo 2025-06-11T15:50:51Z https://community.splunk.com/t5/Getting-Data-In/Issues-with-csv-Splunk-File-Monitoring/m-p/747938#M118836 <P>Hi!&nbsp;</P><P>here below what you have requested:&nbsp;</P><P>props.conf<BR />[GDPR_ZUORA]<BR />SHOULD_LINEMERGE=false<BR />#LINE_BREAKER=([\r\n]+)<BR />NO_BINARY_CHECK=true<BR />CHARSET=UTF-8<BR />INDEXED_EXTRACTIONS=csv<BR />KV_MODE=none<BR />category=Structured<BR />description=Comma-separated value format. Set header and other settings in "Delimited Settings"<BR />pulldown_type=true<BR />HEADER_FIELD_LINE_NUMBER = 1<BR />CHECK_FOR_HEADER = true<BR />#SHOULD_LINEMERGE = false<BR />#FIELD_DELIMITER = ,<BR />#FIELD_NAMES = date,hostname,app,action,ObjectName,user,operation,value_before,value_after,op_target,description</P><P>inputs.conf<BR />[monitor:///sftp/Zuora/LOG-Zuora-*.log]<BR />disabled = false<BR />index = sftp_compliance<BR />sourcetype = GDPR_ZUORA<BR />source = GDPR_ZUORA<BR />initCrcLength = 256</P><P>First 2 lines of the file monitored:<BR />DataOra,ServerSorgente,Applicazione,TipoAzione,TipologiaOperazione,ServerDestinazione,UserID,UserName,OldValue,NewValue,Note<BR />2025-06-05T23:22:01.157Z,,Zuora,Tenant Property,UPDATED,,3,ScheduledJobUser,2025-06-04T22:07:09.005473Z,2025-06-05T22:21:30.642092Z,BIN_DATA_UPDATE_FROM</P><P>&nbsp;</P> Fri, 13 Jun 2025 13:19:36 GMT https://community.splunk.com/t5/Getting-Data-In/Issues-with-csv-Splunk-File-Monitoring/m-p/747938#M118836 marsantamaria 2025-06-13T13:19:36Z