Archive

CSV file Indexing issue

Path Finder

Hi,

Below is my content of my csv file

Splunk_Backup_Success_Rate
"A table showing the master server, number of backups that were successful and failed, the success rate and total amount processed for each day "
Report Time Frame: Previous 24 Hours
Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)
2019-02-16,dcabak02.dca.com,2278,7,2285,99.69,"8,350.13"
2019-02-17,dcabak02.dca.com,948,1,949,99.89,"8,581.66"
GRAND SUMMARY,-,3226,8,3234,99.75,"16,931.78"
"Report generated on Feb 17, 2019 7:01:39 AM"

I Want to index only these 3 lines
Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)
2019-02-16,dcabak02.dca.com,2278,7,2285,99.69,"8,350.13"
2019-02-17,dcabak02.dca.com,948,1,949,99.89,"8,581.66"

Below is my configuration setting

Transforms.conf
[netbackup]
DELIMS = ","
FIELDS=Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)

props.conf

[netbackup]
DATETIME_CONFIG = CURRENT
FIELD_DELIMITER = ,
INDEXED_EXTRACTIONS = csv
CHECK_FOR_HEADER = true
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = true
REPORT-netbackup = REPORT-netbackup[netbackup]
DATETIME_CONFIG = CURRENT
FIELD_DELIMITER = ,
INDEXED_EXTRACTIONS = csv
CHECK_FOR_HEADER = true
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = true
REPORT-netbackup = REPORT-netbackup

Somehow my data not being indexed into Splunk. Can anyone please tell me whats wrong with the conf

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

What you have is not a CSV file so trying to treat it like one will fail. instead, select the lines you want for indexing and the rest to the null queue.

props.conf:

[netbackup]
SHOULD_LINEMERGE = false
TRANSFORMS-netbackup = netbackup, setnull

transforms.conf:

[netbackup]
REGEX = ^\d\d\d\d-\d\d-\d\d
DEST_KEY = queue
FIELDS=Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

Hi @ richgalloway

I tried but still not able to index.

0 Karma

SplunkTrust
SplunkTrust

How are you trying to find the data (what is your search)?
Consider renaming the fields to remove spaces and special characters. You can rename them back at search time.

---
If this reply helps you, an upvote would be appreciated.
0 Karma