https://community.splunk.com/t5/Getting-Data-In/Why-Splunk-can-t-index-very-large-csv-files/m-p/341177#M62887 <P>Hmmm. Those May and June numbers are bizarrely out of whack with the rest. May got near 100% indexed, and June about 43%. That's probably NOT a clue, but I'd keep it in mind while looking at everything else.</P> <P>I'd do the same thing again, putting the results into two different temporary indexes. If the resultant load numbers for the full file are not identical to the first results, then I'd look at memory usage and so on. </P> <P>Next, I'd <CODE>diff</CODE> the full results against the partial load results to see which records were dropped. </P> <P>Finally, I might set up two different sourcetypes, and set one to send any records before April 1 to the null queue, and the other to send any after March 31 to the null queue, and see whether they successfully loaded all the appropriate records. </P> <HR /> <P><CODE>Truncate</CODE> setting in props.conf is for each line, so that's not relevant. </P> <P>Check this one here for the notes on the TRUNCATE setting.</P> <P><A href="https://answers.splunk.com/answers/80146/splunk-search-of-indexed-csv-file-does-not-pull-out-all-the-fields.html">https://answers.splunk.com/answers/80146/splunk-search-of-indexed-csv-file-does-not-pull-out-all-the-fields.html</A></P> <HR /> <P><CODE>max_mem_usage_mb</CODE> in limits.conf affects searches, apparently not indexing, so that's probably not it.</P> Wed, 02 Aug 2017 14:29:54 GMT DalJeanis 2017-08-02T14:29:54Z https://community.splunk.com/t5/Getting-Data-In/Why-Splunk-can-t-index-very-large-csv-files/m-p/341176#M62886 <P>I am using a csv file to input data in my local Splunk Enterprise.<BR /> I have a very big csv file that is around 100mb.</P> <P>The data in my csv file contains the following count of events:<BR /> January: 36,055<BR /> February: 37,613<BR /> March: 41,521<BR /> April: 33,697<BR /> May : 39,980<BR /> June: 36,994<BR /> July: 31,963</P> <P>After loading the data into Splunk, the data in Splunk contains the following count of events:<BR /> January: 29,416<BR /> February: 32,042<BR /> March: 37,516<BR /> April: 33,458<BR /> May : 39,975<BR /> June: 15,935<BR /> July: 22,766</P> <P>Note: My index usage is only 243MB/488.28GB</P> <P>I tried cutting my csv file to only May June and July data and uploaded it to Splunk.<BR /> csv count:<BR /> May : 39,980<BR /> June: 36,994<BR /> July: 31,963</P> <P>Splunk count:<BR /> May : 39,980<BR /> June: 36,994<BR /> July: 31,963</P> <P>So this means I have no problem with the formatting of the timestamp in my csv file.</P> <P>Could you help me find the configuration that causes this truncation?<BR /> or atleast help me on how to investigate it?<BR /> I will appreciate any response regarding the matter.</P> Wed, 02 Aug 2017 13:20:52 GMT https://community.splunk.com/t5/Getting-Data-In/Why-Splunk-can-t-index-very-large-csv-files/m-p/341176#M62886 bonnlbbelandres 2017-08-02T13:20:52Z https://community.splunk.com/t5/Getting-Data-In/Why-Splunk-can-t-index-very-large-csv-files/m-p/341177#M62887 <P>Hmmm. Those May and June numbers are bizarrely out of whack with the rest. May got near 100% indexed, and June about 43%. That's probably NOT a clue, but I'd keep it in mind while looking at everything else.</P> <P>I'd do the same thing again, putting the results into two different temporary indexes. If the resultant load numbers for the full file are not identical to the first results, then I'd look at memory usage and so on. </P> <P>Next, I'd <CODE>diff</CODE> the full results against the partial load results to see which records were dropped. </P> <P>Finally, I might set up two different sourcetypes, and set one to send any records before April 1 to the null queue, and the other to send any after March 31 to the null queue, and see whether they successfully loaded all the appropriate records. </P> <HR /> <P><CODE>Truncate</CODE> setting in props.conf is for each line, so that's not relevant. </P> <P>Check this one here for the notes on the TRUNCATE setting.</P> <P><A href="https://answers.splunk.com/answers/80146/splunk-search-of-indexed-csv-file-does-not-pull-out-all-the-fields.html">https://answers.splunk.com/answers/80146/splunk-search-of-indexed-csv-file-does-not-pull-out-all-the-fields.html</A></P> <HR /> <P><CODE>max_mem_usage_mb</CODE> in limits.conf affects searches, apparently not indexing, so that's probably not it.</P> Wed, 02 Aug 2017 14:29:54 GMT https://community.splunk.com/t5/Getting-Data-In/Why-Splunk-can-t-index-very-large-csv-files/m-p/341177#M62887 DalJeanis 2017-08-02T14:29:54Z https://community.splunk.com/t5/Getting-Data-In/Why-Splunk-can-t-index-very-large-csv-files/m-p/341178#M62888 <P>My suspicion is that you have a malformed CSV (missing/extra commans, merged lines, etc.). How are you sending this CSV to Splunk? Why are you not using it as a <CODE>lookup</CODE> instead (how often does it change)?</P> Wed, 02 Aug 2017 14:35:06 GMT https://community.splunk.com/t5/Getting-Data-In/Why-Splunk-can-t-index-very-large-csv-files/m-p/341178#M62888 woodcock 2017-08-02T14:35:06Z