Re: Not able to read CSV from Universal forwarder

shugup2923 · ‎01-10-2020

I am trying to read csv from one of my universal forwareder, below is my inputs file

[monitor://D:\DUMP\Updated_Dump*.CSV]
sourcetype=csv
disabled=false
index=xyz
crcSalt=

After checking splunkd log getting below events
INFO TailingProcessor - Adding watch on path: D:\DUMP
INFO TailingProcessor - Parsing configuration stanza: monitor://D:\DUMP\Updated_Dump*.CSV

Please let me know how this can be resolved.

koshyk · ‎01-10-2020

as per logs, it seems it is reading the log file.
what's the search you using to search the data? Have a search across all your splunk for some keyword from CSV. It might have come up as another sourcetype or different index

index=* sourcetype=* <somekeyword_from_csv_file> earliest=-1000d latest=+100d | stats count by sourcetype,index

run btool on sourcetype csv for props.conf & transforms.conf to check if it is getting overridden somewhere.

shugup2923 · ‎01-12-2020

I am using basic search - index=xyz sourcetype=csv

skalliger · ‎01-10-2020

Those are informational messages, I don't see an error. Also, don't set a crcSalt if you don't need any.
The file is not getting ingested? Any WARN or ERROR messages from TailingProcessor in your log?

Skalli

shugup2923 · ‎01-10-2020

crcSalt= is there, pasting error .
file is not getting ingested, can't see my data in search head, anyway to troubleshoot ?

Not able to read CSV from Universal forwarder

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

Not able to read CSV from Universal forwarder

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience