- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Indexing not working on the data imported by ....
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Indexing not working on the data imported by .csv file
Hello
I have a csv file which I need to index and the data looks like
6-Dec-12,R18541,,APPROVED,HDG,,3953,CS,Digital Support,NO,VIRTUAL REUSE,ISCW,2,WINDOWS,4,4,,5297,,,,8,8,8192,12,2012
I did create the the props.conf in indexers as
[capacity:performance]
SHOULD_LINEMERGE=false
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
In webviews props.conf has been set as
[capacity:performance]
REPORT-capacity_performance = capacity_performance_fields
The transforms has been set as below. In data when there is ,, even those fields headers has been mentioned. Would that create a problem?
[capacity_performance_fields]
DELIMS = ","
FIELDS = "date","effort","description","status","source","request","businesscase","area","Function", "planned","acquisition","location","servers","OS","processors","memory","tier","rar","col2","col22","col1","proctotal","memtota","month","year"
And local.meta has been set as
[transforms/capacity_performance_fields]
access = read : [ * ]
export = system
owner = nobody
version = 4.3.3
[props/capacityperformance/REPORT-capacity_performance]
access = read : [ * ]
export = system
owner = nobody
version = 4.3.3
It looks correct though, but the data isn't separating according to how transforms has been mentioned and separated by commas. Any idea on how to solve this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it's working now. Did a blunder mistake of not placing : in the props config in local.meta.
It should be capacity:performance. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any help??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
^^ My bad. I didn't check the spelling mistake.
I was trying to separate the file using transforms and I am not seeing any fields. SOurcetype is showing the data, but the fields are not separated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In addition - are you aware / happy with the various versions of 'performace' vs performance?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, what do you think you are referencing with capacity:performance. I don't believe they will be actually pointing at any data in that form.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you elaborate on what you mea by that the data isn't "separating"? The data will look exactly like it did originally when you load it into Splunk, it will not be changed in any way. What the REPORT/DELIMS stuff is that at SEARCH TIME it extracts data in the events into fields. Is the problem that you're not seeing these fields?
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
