Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

File won't index

timmy13
Communicator
‎03-08-2012 10:25 AM

In testing for implementation on an enterprise Splunk implementation, I am working on my XP desktop with Splunk 4.31 installed.

I have a file that is essentially a csv file but is delimited by pipes (|). I want to use props.conf and transforms.conf to extract the fields. I have everything set up, I THINK correctly, but the file simple will not index. I am getting no data. Any help appreciated!

Here's the configs

inputs.conf....

[default]
host = MyPC

[monitor://C:\Documents and Settings\c5012044\My Documents\ebqa4\ebqa4a.pipe]
disabled = 0
followTail = 0
sourcetype = ebqa

props.conf...

[ebqa]
SHOULD_LINEMERGE = false
TRANSFORMS-t01 = csv1-fieldextraction
NO_BINARY_CHECK = 1
pulldown_type = 1

and transforms.conf...

[csv1-fieldextraction]
DELIMS="|"
FIELDS="TimeStamp","Start_Timestamp","Commit_Timestamp","Operation","Username","OS_Username", "Machine_Name", "SQL_Redo"

Thanks in advance for your help.

0 Karma
Reply

MarioM
Motivator
‎03-08-2012 12:23 PM

do you see your inputs here?

https://<splunk_ip>:8089/services/admin/inputstatus/TailingProcessor:FileStatus
0 Karma
Reply

timmy13
Communicator
‎03-12-2012 06:47 AM

As I mentioned initially, this is on a test system. I have indexed exactly two files (or attempted to). This, and one other. Even on the Search App summary page, I seee only the other source, not this source. I am boggled.

0 Karma
Reply

MarioM
Motivator
‎03-11-2012 01:12 AM

this is strange...the only reason i could see is that the data is sent to an index which is NOT searched by default...
But as per your inputs.conf there is no specific index specified...
does 'index="*" sourcetype=ebqa' bring nothing too?

0 Karma
Reply

timmy13
Communicator
‎03-09-2012 08:20 AM

10 Records, no errors. I see the same info in the splunkd.log file. Mainly INFO events about parsing the file. 2 Warnings about timestamps being far apart, but accepted anyway.

0 Karma
Reply

MarioM
Motivator
‎03-08-2012 02:40 PM

what do you get from this search:

index=_internal sourcetype=splunkd "*.pipe"

Any errors?

0 Karma
Reply

timmy13
Communicator
‎03-08-2012 01:04 PM

Yes, I do
Says "Finished reading"

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...