In testing for implementation on an enterprise Splunk implementation, I am working on my XP desktop with Splunk 4.31 installed.
I have a file that is essentially a csv file but is delimited by pipes (|). I want to use props.conf and transforms.conf to extract the fields. I have everything set up, I THINK correctly, but the file simple will not index. I am getting no data. Any help appreciated!
Here's the configs
inputs.conf....
[default]
host = MyPC
[monitor://C:\Documents and Settings\c5012044\My Documents\ebqa4\ebqa4a.pipe]
disabled = 0
followTail = 0
sourcetype = ebqa
props.conf...
[ebqa]
SHOULD_LINEMERGE = false
TRANSFORMS-t01 = csv1-fieldextraction
NO_BINARY_CHECK = 1
pulldown_type = 1
and transforms.conf...
[csv1-fieldextraction]
DELIMS="|"
FIELDS="TimeStamp","Start_Timestamp","Commit_Timestamp","Operation","Username","OS_Username", "Machine_Name", "SQL_Redo"
Thanks in advance for your help.
do you see your inputs here?
https://<splunk_ip>:8089/services/admin/inputstatus/TailingProcessor:FileStatus
As I mentioned initially, this is on a test system. I have indexed exactly two files (or attempted to). This, and one other. Even on the Search App summary page, I seee only the other source, not this source. I am boggled.
this is strange...the only reason i could see is that the data is sent to an index which is NOT searched by default...
But as per your inputs.conf there is no specific index specified...
does 'index="*" sourcetype=ebqa' bring nothing too?
10 Records, no errors. I see the same info in the splunkd.log file. Mainly INFO events about parsing the file. 2 Warnings about timestamps being far apart, but accepted anyway.
what do you get from this search:
index=_internal sourcetype=splunkd "*.pipe"
Any errors?
Yes, I do
Says "Finished reading"