Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

.dat file indexing problem??

rakesh_498115
Motivator
‎07-26-2013 03:21 AM

Hi..

I have a .dat file which is not a dat file instead , the extension is saved as .dat . Now i have told splunk to index this file..with the following settings..but i couldnt see tat happening ..

Configuration i have given is..

//inputs.conf

[monitor:///splunkInput/Siebel/TO_SPLUNK.dat]
disabled = false
followTail = 0
index = main
sourcetype = siebel_dat

//props.conf

[siebel_dat]
BREAK_ONLY_BEFORE = \d{2}\-[A-Z]{3}\-\d{2}
LEARN_MODEL = false
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_FORMAT = %d-%b-%y
invalid_cause = binary
is_valid = False
pulldown_type = 1



Platform : Linux 2.6.18-238.el5 
Splunk vesion : splunk-4.3.2-123586-linux-2.6-x86_64.rpm

Can you pls help..wat could be the issue here ??

Tags (2)
0 Karma
Reply

grijhwani
Motivator
‎07-26-2013 05:31 AM

You have not provided nearly enough information in the question to really posit an answer.

What platform?

What Splunk version?

What is the format of the records to be indexed?

What can you not see happening? How are you trying to observe it?

Besides adding to the configuration files, what processes did you follow to invoke the changes? I am presuming from your karma that you are reasonably well experienced and unlikely to overlook the simple things, but it is worth asking anyway. For instance did you restart Splunk after the configuration change? And for your monitor stanza, is your file path literally as typed, including the mixed use of case, if you are running on a case-sensitive o/s (*nix)?

0 Karma
Reply

rakesh_498115
Motivator
‎07-26-2013 07:12 AM

trailing process link i have used is
https://myserver:8090/en-US/services/admin/inputstatus/TailingProcessor%3AFileStatus

0 Karma
Reply

rakesh_498115
Motivator
‎07-26-2013 07:12 AM

Hmmm thanx grijhwani ..seems like too many questions..ok..let me answer your questions..

platform : Linux 2.6.18-238.el5
Splunk vesion : splunk-4.3.2-123586-linux-2.6-x86_64.rpm
format of the records : its a xml file saved in the extension of dat. it will have the date of the day as starting of the event .so i have defined my props to break at that point.

i have tried restarting splunk and checked the status using trainling process thing..then i found splunk saying "un readable filetype"

and my filepath is correct and it contains the mixed case of letters.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...