Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Inputs.conf a CSV File From Universal Forwarder

zekiramhi
Path Finder
‎09-18-2020 05:02 AM

I have the test index ready and receiving other API related script outputs. However, I am trying to set up a CSV input towards the same index from a single universal forwarder server. Yet do not have any results coming when the CSV results are searched for.

Path for my inputs.conf : SplunkUniversalForwarder\etc\system\local

I do not have any props.conf or outputs.conf on the specified inputs.conf path, could that be a reason? I am more suspicious of not specifying a "Current Time" Timestamp in the props.conf but I do not know how to accomplish that.

My Current inputs.conf:

[monitor://C:\Users\testuser\Desktop\Splunk_test.csv]
index = test
sourcetype = csv
interval = 300

I am new to assigning monitoring of files, so assistance towards the matter would be very appreciated.

Regards,

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-18-2020 05:29 AM

Hi @zekiramhi,

maybe the file was already read and splunk doesn't read twice a file.

To be sure, make these:

change the name of the test file (e.g. Splunk_test1.csv)

modify the inputs.conf in this way:

[monitor://C:\Users\testuser\Desktop\Splunk_test1.csv]
index = test
sourcetype = csv
crcSalt = <SOURCE>

restart Splunk on the universal Forwarder.

In this way you should index the file.

Remember that csv in the only case where props.conf and transforms.conf must be both on Indexer and Universal Forwarder.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-18-2020 05:29 AM

Hi @zekiramhi,

maybe the file was already read and splunk doesn't read twice a file.

To be sure, make these:

change the name of the test file (e.g. Splunk_test1.csv)

modify the inputs.conf in this way:

[monitor://C:\Users\testuser\Desktop\Splunk_test1.csv]
index = test
sourcetype = csv
crcSalt = <SOURCE>

restart Splunk on the universal Forwarder.

In this way you should index the file.

Remember that csv in the only case where props.conf and transforms.conf must be both on Indexer and Universal Forwarder.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

zekiramhi
Path Finder
‎09-18-2020 05:52 AM

Hello Giuseppe,

As I have said in my original post, I do not have props.conf or transforms.conf file in my inputs.conf path. Is there a bare minimum that you can show me to put inside those 2 configuration files?

I have done the earlier suggestions but I am still waiting for results.

Regards

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-18-2020 06:00 AM

Hi @zekiramhi,

take a sample of the csv file in your pc and ingest it following the guided procedure [Settings -- Add Data -- Upload].

In this way you can find the correct props.conf to use, then you can copy it in your Universal Forwarder:

  • in $SPLUNK_HOME\etc\system\local if you're in test,
  • in $SPLUNK_HOME\etc\apps\your_TA\local when you will be in production, where your_TA is a Technical Add-On that contains also inputs.conf. 

Ciao.

Giuseppe

P.S.: if the answer solves your need, please accept it for the other people of Community and Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

zekiramhi
Path Finder
‎09-18-2020 05:54 AM

Cross that, it actually worked. Thanks a bunch dude!

Happy Splunking!

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...