Getting Data In

Indexing not working on the data imported by .csv file

theouhuios
Motivator

Hello

I have a csv file which I need to index and the data looks like

6-Dec-12,R18541,,APPROVED,HDG,,3953,CS,Digital Support,NO,VIRTUAL REUSE,ISCW,2,WINDOWS,4,4,,5297,,,,8,8,8192,12,2012

I did create the the props.conf in indexers as

 [capacity:performance]
SHOULD_LINEMERGE=false
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT

In webviews props.conf has been set as

    [capacity:performance]
REPORT-capacity_performance = capacity_performance_fields

The transforms has been set as below. In data when there is ,, even those fields headers has been mentioned. Would that create a problem?

[capacity_performance_fields]
DELIMS = ","
FIELDS = "date","effort","description","status","source","request","businesscase","area","Function", "planned","acquisition","location","servers","OS","processors","memory","tier","rar","col2","col22","col1","proctotal","memtota","month","year"

And local.meta has been set as

[transforms/capacity_performance_fields]
access = read : [ * ]
export = system
owner = nobody
version = 4.3.3

[props/capacityperformance/REPORT-capacity_performance]
access = read : [ * ]
export = system
owner = nobody
version = 4.3.3

It looks correct though, but the data isn't separating according to how transforms has been mentioned and separated by commas. Any idea on how to solve this?

Tags (2)
0 Karma

theouhuios
Motivator

it's working now. Did a blunder mistake of not placing : in the props config in local.meta.
It should be capacity:performance. Thanks.

0 Karma

theouhuios
Motivator

Any help??

0 Karma

theouhuios
Motivator

^^ My bad. I didn't check the spelling mistake.
I was trying to separate the file using transforms and I am not seeing any fields. SOurcetype is showing the data, but the fields are not separated.

0 Karma

DaveSavage
Builder

In addition - are you aware / happy with the various versions of 'performace' vs performance?

0 Karma

Drainy
Champion

Also, what do you think you are referencing with capacity:performance. I don't believe they will be actually pointing at any data in that form.

0 Karma

Ayn
Legend

Could you elaborate on what you mea by that the data isn't "separating"? The data will look exactly like it did originally when you load it into Splunk, it will not be changed in any way. What the REPORT/DELIMS stuff is that at SEARCH TIME it extracts data in the events into fields. Is the problem that you're not seeing these fields?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...