All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Change sourcetype Splunk Addon for AWS

dstoev
Path Finder
‎10-09-2024 07:15 AM

For the past 2 days I'm trying to figure something out. I'll try to be clear as possible and hopefully that someone can guide me or explain why this is working like this.

I'm trying to index a CSV file stored in S3, but unfortunately the sourcetype aws:s3:csv is not indexing the file "properly" (meaning it is not extracting any fields - check left screenshot from the attached file).

I've modified the sourcetype aws:s3:csv (under the Splunk Addon for AWS application) and configured it exactly like the default CSV sourcetype (under system/default/proprs.conf).

After doing this if I index a file manually via "Settings/Add data" it is being indexed properly (fields are being extracted), but if the very same file is indexed by the app Splunk Addon for AWS,again  configured with the same sourcetype, there are no extracted fields.
Check attached screenshot for reference.

I've also tried to add other different configurations to the not-modified aws:s3:csv sourcetype like INDEXED_EXTRACTIONS = CSV; HEADER_FIELD_LINE_NUMBER = 1; FIELD_NAMES = field1,field2,field3 and various other configurations in props.conf (under Splunk Addon for AWS) but without success. The only "workaround" is if I use REPORT-extract_fields in props.conf for that sourcetype and in transforms.conf configure it, but this is not ideal.

Additionally I've set the sourcetype to csv  (default Splunk sourcetype) in the inputs.conf but this also seems to not work.

Splunk 9.2.1
Splunk Add-on for AWS 7.7.0

Similar questions without proper answer:
https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-to-ge...

https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Add-on-for-AWS-Ingesting-csv-files-and-he-f...

https://community.splunk.com/t5/All-Apps-and-Add-ons/S3-bucket-with-CSV-files-not-extracting-fields-...

https://community.splunk.com/t5/Getting-Data-In/No-fields-or-timestamps-extracted-when-indexing-TSV-...

https://community.splunk.com/t5/Getting-Data-In/Why-is-CSV-data-not-getting-parsed-while-being-monit...

Labels (1)
Labels
0 Karma
Reply

Meett
Splunk Employee
Splunk Employee
‎10-17-2024 11:57 PM

Hey @dstoev if CSV has a proper header and you have marked checkbox for Parse all files as CSV in the input configuration page.

0 Karma
Reply

dstoev
Path Finder
‎10-24-2024 01:57 PM

Hey @Meett , this does not solve the issue, I think the culprit is what I've shared in my own comment/reply?

0 Karma
Reply

dstoev
Path Finder
‎10-11-2024 05:14 AM

Maybe the reason is https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-configure-csv-sourcetype-quot-mscs-stora... ?

dstoev_0-1728648847304.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games Tutorial Extension - part 9

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games Tutorial Extension - part 8

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Introducing the Splunk Developer Program!

Hey Splunk community! We are excited to announce that Splunk is launching the Splunk Developer Program in ...
Top