Getting Data In

Issues ingesting csv through file monitor

Dmikos1271
Explorer

I recently set up a Splunk UF on a Windows server that did not have it. As part of that process I deployed the same deployment client that was used with all the other servers. My only goal for now is to do file monitoring from this specific server and to start I wanted to monitor a file location of a csv. 

The inputs.conf file looks like this:

[default]

host=SERVER1

[monitor://E:\Scripts\S_M\T_I\abipdb.csv]

sourcetype=abipdb-csv

index=abipdbindex

disabled = 0

The outputs.conf file was copied from one of the server locations with a UF that work fine. The events should be forwarding the data to an indexer cluster:

[tcpout]

defaultGroup=indexers_1,indexers_2

[tcpout: indexers_1]

server=10.##.##.##, 10.##.##.##

[tcpout: indexers_2]

server=10.##.##.##, 10.##.##.##

The splunkd.log shows that the above file location was added to watch. I did deploy an app with the new abipdbindex to the indexer cluster and I can see that index in the index list for each indexer (when checking in Splunk Web). I have a props.conf file set up for that sourcetype:

[abipdb-csv]

FIELD_DELIMITER=,

FIELD_NAMES=column1, column2, column3 etc... (column names match the column names in the csv file)

All the above conf files are stored in system\local and there is no other apps set up on this UF. 

However, the index has not ingested any events successfully. What could be set up incorrectly and why is the csv file not being ingested properly?

 

0 Karma
1 Solution

Dmikos1271
Explorer

The issue was resolved by amending the path from an absolute path E:\Scripts\S_M\T_I\abipdb.csv  to E:\Scripts\S_M\T_I\abipdb*.

View solution in original post

0 Karma

Dmikos1271
Explorer

The issue was resolved by amending the path from an absolute path E:\Scripts\S_M\T_I\abipdb.csv  to E:\Scripts\S_M\T_I\abipdb*.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...