Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

cvs log is not getting ingested when it has only one line (in addition to the header)

mlevsh
Builder
‎01-31-2024 01:57 PM

Hi,

We came across strange issue:
cvs logs are not getting ingested when it only has only one line (in addition to the header) in a log.
The same logs with two and more lines are ingested successfully

Here are inputs.conf and  props.conf we are using

Inputs.conf
[monitor:///apps/ab_cd/resources/abcd/reports_rr/reports/abc/.../*_splunk.csv]  
sourcetype=source_type_name
index=index_name
ignoreOlderThan = 2h
crcSalt = <SOURCE>

props.conf

[source_type_name]
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
PREAMBLE_REGEX = ^Region
TIME_PREFIX= ^(?:[^,\n]*,){1}
TIME_FORMAT = %Y-%m-%d
MAX_TIMESTAMP_LOOKAHEAD=10
MAX_DAYS_HENCE = 5


Appreciate all the ideas

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎02-01-2024 05:57 AM

I was expecting your props.conf to have

INDEXED_EXTRACTIONS = CSV

You are also using a TIME_PREFIX instead of TIMESTAMP_FIELDS... 

And you have a PREAMBLE_REGEX set, which looks like it's set to the first fieldname in the header (which would remove the header line) though you don't provide FIELD_NAMES...

Putting that all together, it looks like you aren't really treating those files as CSV files.  I'm not sure what's going on, but I wonder if it would work right if you treated them as CSV.

If that doesn't help, it'd be useful to see the contents of a file that doesn't work, and one that does. 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...