Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

.dat file indexing problem??

rakesh_498115
Motivator
‎07-26-2013 03:21 AM

Hi..

I have a .dat file which is not a dat file instead , the extension is saved as .dat . Now i have told splunk to index this file..with the following settings..but i couldnt see tat happening ..

Configuration i have given is..

//inputs.conf

[monitor:///splunkInput/Siebel/TO_SPLUNK.dat]
disabled = false
followTail = 0
index = main
sourcetype = siebel_dat

//props.conf

[siebel_dat]
BREAK_ONLY_BEFORE = \d{2}\-[A-Z]{3}\-\d{2}
LEARN_MODEL = false
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_FORMAT = %d-%b-%y
invalid_cause = binary
is_valid = False
pulldown_type = 1



Platform : Linux 2.6.18-238.el5 
Splunk vesion : splunk-4.3.2-123586-linux-2.6-x86_64.rpm

Can you pls help..wat could be the issue here ??

Tags (2)
0 Karma
Reply

grijhwani
Motivator
‎07-26-2013 05:31 AM

You have not provided nearly enough information in the question to really posit an answer.

What platform?

What Splunk version?

What is the format of the records to be indexed?

What can you not see happening? How are you trying to observe it?

Besides adding to the configuration files, what processes did you follow to invoke the changes? I am presuming from your karma that you are reasonably well experienced and unlikely to overlook the simple things, but it is worth asking anyway. For instance did you restart Splunk after the configuration change? And for your monitor stanza, is your file path literally as typed, including the mixed use of case, if you are running on a case-sensitive o/s (*nix)?

0 Karma
Reply

rakesh_498115
Motivator
‎07-26-2013 07:12 AM

trailing process link i have used is
https://myserver:8090/en-US/services/admin/inputstatus/TailingProcessor%3AFileStatus

0 Karma
Reply

rakesh_498115
Motivator
‎07-26-2013 07:12 AM

Hmmm thanx grijhwani ..seems like too many questions..ok..let me answer your questions..

platform : Linux 2.6.18-238.el5
Splunk vesion : splunk-4.3.2-123586-linux-2.6-x86_64.rpm
format of the records : its a xml file saved in the extension of dat. it will have the date of the day as starting of the event .so i have defined my props to break at that point.

i have tried restarting splunk and checked the status using trainling process thing..then i found splunk saying "un readable filetype"

and my filepath is correct and it contains the mixed case of letters.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...