I'm new to Splunk, I would really appreciate some help here..
This is what I have done, I installed Splunk Enterprise on Window 10, running the latest release of Splunk Version 7.0.1 Build 2b5b15c4ee89
1. Ensured the env variables are set for SPLUNK_HOME and SPLUNK_DB
2. There was no existing indexes.conf in the local directory so I copied and modified the indexes.conf from default and put in $SPLUNK_HOME/etc/system/local , The indexes were created and look fine.
3. next I download a .csv file from Amazon, this is called 01-Jan-2016_to_16-Dec-2017.csv
4. Then I uploaded the file in the GUI and set the sourecetype to amazon_purchases
-and the index to amazon_purchases.
I was able to see my upload data in Splunk core, but when I switched over to the add nothing is showing up.
Checked the Splunkd.log there are errors:
12-16-2017 10:54:42.598 -0800 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::configure: Failed to find Event Log with channel name='Microsoft-Windows-Sysmon/Operational'
12-16-2017 10:54:57.854 -0800 WARN LookupOperator - Unable to find property=filename for lookup=zip_amazon.csv will attempt to use implicit filename.
12-16-2017 10:54:57.855 -0800 WARN LookupOperator - Using implicit filename=C:\Program Files\Splunk\etc\apps\amazon_purchases\lookups\zip_amazon.csv implicit lookups do not use transforms.conf-defined settings.
12-16-2017 10:54:57.881 -0800 WARN LookupOperator - Unable to find property=filename for lookup=zip_amazon.csv will attempt to use implicit filename.
I'm not sure why it is referencing amazon.csv, that is not the name of my csv file, but I see this in a list after I upload, can't recall where, but I even tried renaming my .csv file and this of course did not work either.
Help! What am I doing wrong? It has to be something simple that I have missed.