Getting Data In

Issues ingesting csv through file monitor

Dmikos1271
Explorer

I recently set up a Splunk UF on a Windows server that did not have it. As part of that process I deployed the same deployment client that was used with all the other servers. My only goal for now is to do file monitoring from this specific server and to start I wanted to monitor a file location of a csv. 

The inputs.conf file looks like this:

[default]

host=SERVER1

[monitor://E:\Scripts\S_M\T_I\abipdb.csv]

sourcetype=abipdb-csv

index=abipdbindex

disabled = 0

The outputs.conf file was copied from one of the server locations with a UF that work fine. The events should be forwarding the data to an indexer cluster:

[tcpout]

defaultGroup=indexers_1,indexers_2

[tcpout: indexers_1]

server=10.##.##.##, 10.##.##.##

[tcpout: indexers_2]

server=10.##.##.##, 10.##.##.##

The splunkd.log shows that the above file location was added to watch. I did deploy an app with the new abipdbindex to the indexer cluster and I can see that index in the index list for each indexer (when checking in Splunk Web). I have a props.conf file set up for that sourcetype:

[abipdb-csv]

FIELD_DELIMITER=,

FIELD_NAMES=column1, column2, column3 etc... (column names match the column names in the csv file)

All the above conf files are stored in system\local and there is no other apps set up on this UF. 

However, the index has not ingested any events successfully. What could be set up incorrectly and why is the csv file not being ingested properly?

 

0 Karma
1 Solution

Dmikos1271
Explorer

The issue was resolved by amending the path from an absolute path E:\Scripts\S_M\T_I\abipdb.csv  to E:\Scripts\S_M\T_I\abipdb*.

View solution in original post

0 Karma

Dmikos1271
Explorer

The issue was resolved by amending the path from an absolute path E:\Scripts\S_M\T_I\abipdb.csv  to E:\Scripts\S_M\T_I\abipdb*.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...