I'm new to Splunk, I would really appreciate some help here..
This is what I have done, I installed Splunk Enterprise on Window 10, running the latest release of Splunk Version 7.0.1 Build 2b5b15c4ee89
1. Ensured the env variables are set for SPLUNKHOME and SPLUNKDB
2. There was no existing indexes.conf in the local directory so I copied and modified the indexes.conf from default and put in $SPLUNKHOME/etc/system/local , The indexes were created and look fine.
3. next I download a .csv file from Amazon, this is called 01-Jan-2016to16-Dec-2017.csv
4. Then I uploaded the file in the GUI and set the sourecetype to amazonpurchases
-and the index to amazonpurchases.
I was able to see my upload data in Splunk core, but when I switched over to the add nothing is showing up.
Checked the Splunkd.log there are errors:
12-16-2017 10:54:42.598 -0800 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::configure: Failed to find Event Log with channel name='Microsoft-Windows-Sysmon/Operational'
12-16-2017 10:54:57.854 -0800 WARN LookupOperator - Unable to find property=filename for lookup=zipamazon.csv will attempt to use implicit filename.
12-16-2017 10:54:57.855 -0800 WARN LookupOperator - Using implicit filename=C:\Program Files\Splunk\etc\apps\amazonpurchases\lookups\zipamazon.csv implicit lookups do not use transforms.conf-defined settings.
12-16-2017 10:54:57.881 -0800 WARN LookupOperator - Unable to find property=filename for lookup=zip_amazon.csv will attempt to use implicit filename.
I'm not sure why it is referencing amazon.csv, that is not the name of my csv file, but I see this in a list after I upload, can't recall where, but I even tried renaming my .csv file and this of course did not work either.
Help! What am I doing wrong? It has to be something simple that I have missed.