Getting Data In

Splunk Documents 404 & CSV Issues

New Member

Hi-

For some reason every time I try to go to the documentation from within Splunk or from other links, I get a 404 page not found and a loop occurs where I don't really ever see the 404 page. So as I can't get to the documentation, I'd like to ask for some help...

I have a directory that includes several .csv files each with a specific format
"Username","Log On/Off","Hostname","IP Address","YYYMMDDHHMM","Domain"
Each csv file is named for the user and tracks the computer that they are logged into currently - tracks log on and log off. How can I easily map these fields to appropriate fields for Splunk to understand? Splunk can't figure out the timestamp here, or the hostname (as all files sit on the same network share...

I'm sure this is simple, but without being able to access any documentation, i'm kind of flying in the dark. Has happened on several computers today at our location so I gave up. Thanks in advance for any help!

0 Karma

New Member

Okay, so I will answer my own question!

Here is my props.conf:

[csv-2]
TIME_PREFIX=^([^,]*,){4}
pulldown_type=1
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
TIME_FORMAT=%Y%m%d%H%M
TZ=America/New_York
CHECK_FOR_HEADER = false
KV_MODE = none
PRIORITY = 101
TRANSFORMS-extract_host = extract_host
TRANSFORMS-AutoHeader-1 = AutoHeader-1

And here is my transforms.conf:

[AutoHeader-1]
DELIMS = ","
REGEX = (.*?):s+([0-9,]+)
MV_ADD = true
REPEAT_MATCH = TRUE
CLEAN_KEYS = true
FIELDS = "Username", "Log[On]/Log[Off]", "host", "IP Address", "Timestamp" "Domain"

[extract_host]
REGEX = ^([^,]*,){3}
FORMAT = host::$1
DEST_KEY = MetaData:Host

Remember that after making any changes, you need to:
1. Restart the services
2. Gather more data - the previously indexed data won't change. You need new events.

I'd like to know more about the MetaData: keys that I can map to.... Are there more known constructs in Splunk? This was the only one I found in the documentation...

0 Karma

Splunk Employee
Splunk Employee

The documentation issue is caused by being unable to reach, or DNS resolve, quickdraw.splunk.com and www.splunk.com.

New Member

Wow, okay... I added splunk.com to some of the ad blocking whitelists and it works now.... Not sure why. Web filter and firewall weren't impeding the data at all.

0 Karma

New Member

Thanks....

Okay, this is weird. DNS resolves for both of those domains you listed. Using Google Chrome, I go to docs.splunk.com and get forwarded to splunk-base.splunk.com. However if I try to go to docs.splunk.com in IE 10, it actually sends me to http://docs.splunk.com/Documentation

Beginning to think this may be because of an extension I have installed. Thanks.

0 Karma

Splunk Employee
Splunk Employee

docs.splunk.com = www.splunk.com
quickdraw.splunk.com does the translation to the right doc page.

If you can reach both, something in between is blocking you. The docs are and remain generally available.

0 Karma

New Member

Thanks for the thought, but no, this is not my issue.

H:>nslookup quickdraw.splunk.com
Server: gracedca.grace.adn
Address: 192.168.1.251

Non-authoritative answer:
Name: quickdraw.splunk.com
Address: 216.221.226.40

0 Karma

Splunk Employee
Splunk Employee

On the docs side...just to confirm: you can't see docs.splunk.com from any browser in your location? The site is up and working.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!