Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

csv with headers processing

a212830
Champion
‎08-24-2013 06:55 PM

Hi,

Trying (still) to get delimted files properly handled by Splunk, with automatic failed extraction. I followed the directions on this link - http://answers.splunk.com/answers/29418/step-by-step-adding-a-new-csv-datasource - which seem very straighfoward. One difference is that my files are pipe (|) delimited. When I start splunk, I get a bunch of the following:

ossible typo in stanza [snmpinfo-87] in /apps/splunk/splunk/etc/apps/learned/local/props.conf, line 1158: DELIMS = "|"
Possible typo in stanza [snmpinfo-88] in /apps/splunk/splunk/etc/apps/learned/local/props.conf, line 1170: DELIMS = "|"
Possible typo in stanza [snmpinfo-89] in /apps/splunk/splunk/etc/apps/learned/local/props.conf, line 1182: DELIMS = "|"
Possible typo in stanza [snmpinfo-90] in /apps/splunk/splunk/etc/apps/learned/local/props.conf, line 1194: DELIMS = "|"
Possible typo in stanza [snmpinfo-91] in /apps/splunk/splunk/etc/apps/learned/local/props.conf, line 1206: DELIMS = "|"
WARN IniFile - /apps/splunk/splunk/etc/system/local/props.conf, line 10: Cannot parse into key-value pair: REPORT-mysource snmp_csv

Does anyone have any suggestions? This is really frustrating me. My files are such:

inputs:
[monitor:///usr/local/nsmutils/export/current/]
index=perfstats
sourcetype=snmpinfo
followTail = 0
blacklist = .csv
crcSalt =
initCrcLength = 500

props:
[source::snmpinfo]
REPORT-mysource snmp_csv
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = FALSE
KV_MODE = none
CHECK_FOR_HEADER = TRUE
NO_BINARY_CHECK = 1
TIME_FORMAT = %s
SHOULD_LINEMERGE = false
TIME_PREFIX = ^"
TZ = US/Eastern

transforms:
[smp_csv]
DELIMS = "|"
FIELDS = "ATime","aItemId","aintMfName","ametric","avalue","amfDisplayName","adevice","acomponentName"

Tags (1)
0 Karma
Reply

TobiasBoone
Communicator
‎10-16-2013 08:49 AM

I believe needs to be all caps.

0 Karma
Reply

Ayn
Legend
‎08-25-2013 12:15 AM

Three things:

  1. You have the wrong syntax in props.conf. REPORT-mysource snmp_csv is missing an equals sign - it should be REPORT-mysource = snmp_csv.
  2. You have a typo in transforms.conf - you refer to snmp_csv in props.conf but the transform is called smp_csv.
  3. I think you've confused source with sourcetype. snmpinfo is the sourcetype, not the source, so when you say [source::snmpinfo] in props.conf, this won't match any events and your settings will not be applied no matter how correct they are. Your stanza should read just [snmpinfo] instead.
0 Karma
Reply

Ayn
Legend
‎08-25-2013 12:55 PM

It definitely can. Those warnings are not from your settings, they are from other config files.

0 Karma
Reply

a212830
Champion
‎08-25-2013 05:50 AM

Thanks for the help. I made those adjustments, but I'm still getting the same errors. Can splunk handle a pipe as a delimiter?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...