- Community
- :
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Inputs.conf a CSV File From Universal Forwarder
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the test index ready and receiving other API related script outputs. However, I am trying to set up a CSV input towards the same index from a single universal forwarder server. Yet do not have any results coming when the CSV results are searched for.
Path for my inputs.conf : SplunkUniversalForwarder\etc\system\local
I do not have any props.conf or outputs.conf on the specified inputs.conf path, could that be a reason? I am more suspicious of not specifying a "Current Time" Timestamp in the props.conf but I do not know how to accomplish that.
My Current inputs.conf:
[monitor://C:\Users\testuser\Desktop\Splunk_test.csv]
index = test
sourcetype = csv
interval = 300I am new to assigning monitoring of files, so assistance towards the matter would be very appreciated.
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @zekiramhi,
maybe the file was already read and splunk doesn't read twice a file.
To be sure, make these:
change the name of the test file (e.g. Splunk_test1.csv)
modify the inputs.conf in this way:
[monitor://C:\Users\testuser\Desktop\Splunk_test1.csv]
index = test
sourcetype = csv
crcSalt = <SOURCE>restart Splunk on the universal Forwarder.
In this way you should index the file.
Remember that csv in the only case where props.conf and transforms.conf must be both on Indexer and Universal Forwarder.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @zekiramhi,
maybe the file was already read and splunk doesn't read twice a file.
To be sure, make these:
change the name of the test file (e.g. Splunk_test1.csv)
modify the inputs.conf in this way:
[monitor://C:\Users\testuser\Desktop\Splunk_test1.csv]
index = test
sourcetype = csv
crcSalt = <SOURCE>restart Splunk on the universal Forwarder.
In this way you should index the file.
Remember that csv in the only case where props.conf and transforms.conf must be both on Indexer and Universal Forwarder.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Giuseppe,
As I have said in my original post, I do not have props.conf or transforms.conf file in my inputs.conf path. Is there a bare minimum that you can show me to put inside those 2 configuration files?
I have done the earlier suggestions but I am still waiting for results.
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @zekiramhi,
take a sample of the csv file in your pc and ingest it following the guided procedure [Settings -- Add Data -- Upload].
In this way you can find the correct props.conf to use, then you can copy it in your Universal Forwarder:
- in $SPLUNK_HOME\etc\system\local if you're in test,
- in $SPLUNK_HOME\etc\apps\your_TA\local when you will be in production, where your_TA is a Technical Add-On that contains also inputs.conf.
Ciao.
Giuseppe
P.S.: if the answer solves your need, please accept it for the other people of Community and Karma Points are appreciated 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cross that, it actually worked. Thanks a bunch dude!
Happy Splunking!
Build Scalable Security While Moving to Cloud - Guide From Clayton Homes
Mission Control | Explore the latest release of Splunk Mission Control (2.3)
Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7
