Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

CSV file Indexing issue

Nadhiyaa
Path Finder
‎02-16-2019 11:55 PM

Hi,

Below is my content of my csv file

Splunk_Backup_Success_Rate
"A table showing the master server, number of backups that were successful and failed, the success rate and total amount processed for each day "
Report Time Frame: Previous 24 Hours
Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)
2019-02-16,dcabak02.dca.com,2278,7,2285,99.69,"8,350.13"
2019-02-17,dcabak02.dca.com,948,1,949,99.89,"8,581.66"
GRAND SUMMARY,-,3226,8,3234,99.75,"16,931.78"
"Report generated on Feb 17, 2019 7:01:39 AM"

I Want to index only these 3 lines
Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)
2019-02-16,dcabak02.dca.com,2278,7,2285,99.69,"8,350.13"
2019-02-17,dcabak02.dca.com,948,1,949,99.89,"8,581.66"

Below is my configuration setting

Transforms.conf
[netbackup]
DELIMS = ","
FIELDS=Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)

props.conf

[netbackup]
DATETIME_CONFIG = CURRENT
FIELD_DELIMITER = ,
INDEXED_EXTRACTIONS = csv
CHECK_FOR_HEADER = true
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = true
REPORT-netbackup = REPORT-netbackup[netbackup]
DATETIME_CONFIG = CURRENT
FIELD_DELIMITER = ,
INDEXED_EXTRACTIONS = csv
CHECK_FOR_HEADER = true
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = true
REPORT-netbackup = REPORT-netbackup

Somehow my data not being indexed into Splunk. Can anyone please tell me whats wrong with the conf

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-17-2019 01:30 PM

What you have is not a CSV file so trying to treat it like one will fail. instead, select the lines you want for indexing and the rest to the null queue.

props.conf:

[netbackup]
SHOULD_LINEMERGE = false
TRANSFORMS-netbackup = netbackup, setnull

transforms.conf:

[netbackup]
REGEX = ^\d\d\d\d-\d\d-\d\d
DEST_KEY = queue
FIELDS=Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Nadhiyaa
Path Finder
‎02-17-2019 11:43 PM

Hi @ richgalloway

I tried but still not able to index.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-19-2019 10:42 AM

How are you trying to find the data (what is your search)?
Consider renaming the fields to remove spaces and special characters. You can rename them back at search time.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...