Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Inputs.conf a CSV File From Universal Forwarder

zekiramhi
Path Finder
‎09-18-2020 05:02 AM

I have the test index ready and receiving other API related script outputs. However, I am trying to set up a CSV input towards the same index from a single universal forwarder server. Yet do not have any results coming when the CSV results are searched for.

Path for my inputs.conf : SplunkUniversalForwarder\etc\system\local

I do not have any props.conf or outputs.conf on the specified inputs.conf path, could that be a reason? I am more suspicious of not specifying a "Current Time" Timestamp in the props.conf but I do not know how to accomplish that.

My Current inputs.conf:

[monitor://C:\Users\testuser\Desktop\Splunk_test.csv]
index = test
sourcetype = csv
interval = 300

I am new to assigning monitoring of files, so assistance towards the matter would be very appreciated.

Regards,

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-18-2020 05:29 AM

Hi @zekiramhi,

maybe the file was already read and splunk doesn't read twice a file.

To be sure, make these:

change the name of the test file (e.g. Splunk_test1.csv)

modify the inputs.conf in this way:

[monitor://C:\Users\testuser\Desktop\Splunk_test1.csv]
index = test
sourcetype = csv
crcSalt = <SOURCE>

restart Splunk on the universal Forwarder.

In this way you should index the file.

Remember that csv in the only case where props.conf and transforms.conf must be both on Indexer and Universal Forwarder.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-18-2020 05:29 AM

Hi @zekiramhi,

maybe the file was already read and splunk doesn't read twice a file.

To be sure, make these:

change the name of the test file (e.g. Splunk_test1.csv)

modify the inputs.conf in this way:

[monitor://C:\Users\testuser\Desktop\Splunk_test1.csv]
index = test
sourcetype = csv
crcSalt = <SOURCE>

restart Splunk on the universal Forwarder.

In this way you should index the file.

Remember that csv in the only case where props.conf and transforms.conf must be both on Indexer and Universal Forwarder.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

zekiramhi
Path Finder
‎09-18-2020 05:52 AM

Hello Giuseppe,

As I have said in my original post, I do not have props.conf or transforms.conf file in my inputs.conf path. Is there a bare minimum that you can show me to put inside those 2 configuration files?

I have done the earlier suggestions but I am still waiting for results.

Regards

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-18-2020 06:00 AM

Hi @zekiramhi,

take a sample of the csv file in your pc and ingest it following the guided procedure [Settings -- Add Data -- Upload].

In this way you can find the correct props.conf to use, then you can copy it in your Universal Forwarder:

  • in $SPLUNK_HOME\etc\system\local if you're in test,
  • in $SPLUNK_HOME\etc\apps\your_TA\local when you will be in production, where your_TA is a Technical Add-On that contains also inputs.conf. 

Ciao.

Giuseppe

P.S.: if the answer solves your need, please accept it for the other people of Community and Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

zekiramhi
Path Finder
‎09-18-2020 05:54 AM

Cross that, it actually worked. Thanks a bunch dude!

Happy Splunking!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...