Getting Data In

.dat file indexing problem??



I have a .dat file which is not a dat file instead , the extension is saved as .dat . Now i have told splunk to index this file..with the following settings..but i couldnt see tat happening ..

Configuration i have given is..


disabled = false
followTail = 0
index = main
sourcetype = siebel_dat


BREAK_ONLY_BEFORE = \d{2}\-[A-Z]{3}\-\d{2}
TIME_FORMAT = %d-%b-%y
invalid_cause = binary
is_valid = False
pulldown_type = 1

Platform : Linux 2.6.18-238.el5 
Splunk vesion : splunk-4.3.2-123586-linux-2.6-x86_64.rpm

Can you pls help..wat could be the issue here ??

Tags (2)
0 Karma


You have not provided nearly enough information in the question to really posit an answer.

What platform?

What Splunk version?

What is the format of the records to be indexed?

What can you not see happening? How are you trying to observe it?

Besides adding to the configuration files, what processes did you follow to invoke the changes? I am presuming from your karma that you are reasonably well experienced and unlikely to overlook the simple things, but it is worth asking anyway. For instance did you restart Splunk after the configuration change? And for your monitor stanza, is your file path literally as typed, including the mixed use of case, if you are running on a case-sensitive o/s (*nix)?

0 Karma

0 Karma


Hmmm thanx grijhwani ..seems like too many questions..ok..let me answer your questions..

platform : Linux 2.6.18-238.el5
Splunk vesion : splunk-4.3.2-123586-linux-2.6-x86_64.rpm
format of the records : its a xml file saved in the extension of dat. it will have the date of the day as starting of the event .so i have defined my props to break at that point.

i have tried restarting splunk and checked the status using trainling process thing..then i found splunk saying "un readable filetype"

and my filepath is correct and it contains the mixed case of letters.

0 Karma