Hi,
Trying (still) to get delimted files properly handled by Splunk, with automatic failed extraction. I followed the directions on this link - http://answers.splunk.com/answers/29418/step-by-step-adding-a-new-csv-datasource - which seem very straighfoward. One difference is that my files are pipe (|) delimited. When I start splunk, I get a bunch of the following:
ossible typo in stanza [snmpinfo-87] in /apps/splunk/splunk/etc/apps/learned/local/props.conf, line 1158: DELIMS = "|"
Possible typo in stanza [snmpinfo-88] in /apps/splunk/splunk/etc/apps/learned/local/props.conf, line 1170: DELIMS = "|"
Possible typo in stanza [snmpinfo-89] in /apps/splunk/splunk/etc/apps/learned/local/props.conf, line 1182: DELIMS = "|"
Possible typo in stanza [snmpinfo-90] in /apps/splunk/splunk/etc/apps/learned/local/props.conf, line 1194: DELIMS = "|"
Possible typo in stanza [snmpinfo-91] in /apps/splunk/splunk/etc/apps/learned/local/props.conf, line 1206: DELIMS = "|"
WARN IniFile - /apps/splunk/splunk/etc/system/local/props.conf, line 10: Cannot parse into key-value pair: REPORT-mysource snmp_csv
Does anyone have any suggestions? This is really frustrating me. My files are such:
inputs:
[monitor:///usr/local/nsmutils/export/current/]
index=perfstats
sourcetype=snmpinfo
followTail = 0
blacklist = .csv
crcSalt =
props:
[source::snmpinfo]
REPORT-mysource snmp_csv
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = FALSE
KV_MODE = none
CHECK_FOR_HEADER = TRUE
NO_BINARY_CHECK = 1
TIME_FORMAT = %s
SHOULD_LINEMERGE = false
TIME_PREFIX = ^"
TZ = US/Eastern
transforms:
[smp_csv]
DELIMS = "|"
FIELDS = "ATime","aItemId","aintMfName","ametric","avalue","amfDisplayName","adevice","acomponentName"
Three things:
REPORT-mysource snmp_csv
is missing an equals sign - it should be REPORT-mysource = snmp_csv
.snmp_csv
in props.conf but the transform is called smp_csv
.snmpinfo
is the sourcetype, not the source, so when you say [source::snmpinfo]
in props.conf, this won't match any events and your settings will not be applied no matter how correct they are. Your stanza should read just [snmpinfo]
instead.It definitely can. Those warnings are not from your settings, they are from other config files.
Thanks for the help. I made those adjustments, but I'm still getting the same errors. Can splunk handle a pipe as a delimiter?