Hello,
I have clonned the CSV source type in Splunk and created a new CSV sourcetype as Alpha_csv and configured to monitor the csv files.
I have created a deployment apps and configured inputs.conf in deployment app.
All my csv files are not getting monitored but no as per header values. (no csv headers are getting listed)
csv sourcetype is set to auto, comma separated csv.
Can anyone help on this?
Thanks
Along with inputs.conf you also need to copy settings for Alpha_csv in props.conf in deployment app and deploy it to forwarder server.
Along with inputs.conf you also need to copy settings for Alpha_csv in props.conf in deployment app and deploy it to forwarder server.
Hello @Gowthamdevaraj ,
if I understand you correctly the file get monitored correctly, but you cannot see the first line of the logs with header names? This is how indexed_extraction for CSV works - your fields are get parsed and mapped to the right field taken from the header line and the header line get removed. You can access any parsed field by using the field name.
Here is more info about indexed extraction: https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Extractfieldsfromfileswithstructureddata
Have it worked before you cloned the source type?