How to configure Splunk to read a csv file from a ...

avni26 · ‎10-09-2019

Hi,
I have one csv file at location /apps/data_splunk/.csv
And this CSV file has data like below
JAN-18 | 31-JAN-2018 | -1 | 1 | 31-JAN-18 | 01-FEB-18 | 727
JAN-18 | 01-FEB-2018 | 1 | 1 | 01-FEB-18 | 02-FEB-18 | 751
JAN-18 | 02-FEB-2018 | 2 | 1 | 02-FEB-18 | 02-FEB-18 | 342
JAN-18 | 06-FEB-2018 | 4 | 1 | 06-FEB-18 | 06-FEB-18 | 323

I want to forward this data to my splunk.
Here is what I have done, but it's not working. I have these setup on the Splunk UF server.
Inputs.conf
[monitor://data_splunk/.csv]
disabled = false
index = _idx2
sourcetype = mycsvfileData

Props.conf
[mycsvfileData]
INDEXED_EXTRACTIONS = csv
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true
KV_MODE = none
category = Structured
FIELD_DELIMITER = |

Please let me know, what I am doing wrong. Please suggest the better way.
Thanks in advance.

richgalloway · ‎10-09-2019

Please elaborate on "it's not working". What results are you getting compared to what you expect?
The monitor line does not match the file name you say you want to read.

---
If this reply helps you, Karma would be appreciated.

avni26 · ‎10-09-2019

Hi @richgalloway. Not working means, no data is getting reflected to splunk(mycsvfileData sourcetype is not getting reflected in splunk)
ohh , missed it here in question deatil. Monitor line is "[monitor:///apps/data_splunk/.csv]".

richgalloway · ‎10-09-2019

Check the permissions on the file to verify splunk has read access.
Run splunk list monitor on the UF and verify the file is listed.
Check splunkd.log on the UF for errors related to the file.
Verify you have data in index=_internal from the UF.

---
If this reply helps you, Karma would be appreciated.

How to configure Splunk to read a csv file from a universal forwarder?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies