Getting Data In

Help with small CSV file indexing

rayar
Contributor

I am trying to index a small CSV file with 2 columns and Size -5.32 KB (5,453 bytes) , Size on Disk  - 8.00 KB (8,192 bytes) by Heavy Forwarder 

 

on the forwarder I see that shows 0 files 

rayar_0-1663067516887.png

 

inputs.conf


[monitor://\\ntnet\filestore1\information_security$\ACSC_Websense_Large_Web_Traffic_Exclusion_List\]
disabled = 0
index = websense_large_web_traffic
sourcetype = csv
crcSalt = <SOURCE>
initCrcLength = 512

 

Labels (1)
0 Karma
1 Solution

rayar
Contributor

I moved the monitoring to Linux UF and it resolved the issue 

thanks 

View solution in original post

0 Karma

gcusello
Esteemed Legend

Hi @rayar,

have you data in Splunk (using a search)?

the dashboard of your screenshot isn't relevant, see in the search dashboard of the Search Head.

Ciao.

Giuseppe

0 Karma

rayar
Contributor

the data is not indexed 

I also don't see any activities in index=_* 

and the issue that I see that the HF see 0 files under the path 

0 Karma

gcusello
Esteemed Legend

Hi @rayar,

you have to search something like

index=websense_large_web_traffic source="*\<your_file_name>"

not in _* indexes.

Ciao.

Giuseppe

0 Karma

rayar
Contributor

the data is not indexed to the index 

also I don't see any events in the internal indexes 

what can be the reason HF doesn't recognize filers  ?

I copied the same file to my local and was able to index manually  

0 Karma

rayar
Contributor

 just notices that if I add data manually from the HF itself the data is not indexed also  

what can be the reason  ? 

0 Karma

gcusello
Esteemed Legend

@rayar,

maybe the filename is missing, please try to use in your inputs.conf:

[monitor://\\ntnet\filestore1\information_security$\ACSC_Websense_Large_Web_Traffic_Exclusion_List\*.csv]

or adding at the end of the path the filename with extension.

Ciao.

Giuseppe

0 Karma

rayar
Contributor

[monitor://\\ntnet\filestore1\information_security$\ACSC_Websense_Large_Web_Traffic_Exclusion_List\*.csv]
disabled = 0
index = websense_large_web_traffic
sourcetype = csv
crcSalt = <SOURCE>
initCrcLength = 512

 

still I see 0 in the heavy forwarder 

 

rayar_0-1663083308628.png

 

0 Karma

gcusello
Esteemed Legend

Hi @rayar,

this is a network folder, have the user you're using grants to access this folder?

if you run in a cmd window

dir \\ntnet\filestore1\information_security$\ACSC_Websense_Large_Web_Traffic_Exclusion_List\*.csv

have you results?

Ciao.

Giuseppe

0 Karma

rayar
Contributor

C:\Users\issplunk>dir \\ntnet\filestore1\information_security$\ACSC_Websense_Large_Web_Traffic_Exclusion_List\*.csv
Volume in drive \\ntnet\filestore1 is SCCM Content
Volume Serial Number is 1EFA-6F4C

Directory of \\ntnet\filestore1\information_security$\ACSC_Websense_Large_Web_Traffic_Exclusion_List

09/12/2022 04:01 PM 5,453 Websense_Lare_Web_Traffic_Exclusion_August_2022.csv
09/13/2022 03:23 PM 5,458 Websense_Lare_Web_Traffic_Exclusion_082022.csv
2 File(s) 10,911 bytes
0 Dir(s) 211,867,983,872 bytes free

C:\Users\issplunk>

0 Karma

gcusello
Esteemed Legend

Hi @rayar,

please run this last try:

change the name of your file and see if now it's indexed, because Splunk doesn't index a file twice, the only way to do this is using crcSalt and changing a filename.

Ciao.

Giuseppe

0 Karma

rayar
Contributor

Hi
I already tried it before and it still shows 0 files 

0 Karma

gcusello
Esteemed Legend

Hi @rayar,

last try,

could you try to copy your file in a folder without "$" in the path, changing the input stanza to the new folder?

Ciao.

Giuseppe

0 Karma

rayar
Contributor

I moved the monitoring to Linux UF and it resolved the issue 

thanks 

0 Karma

gcusello
Esteemed Legend

Hi @rayar,

it's always a good idea!

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉 

0 Karma
Get Updates on the Splunk Community!

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...