Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

CSV file Indexing issue

Nadhiyaa
Path Finder
‎02-16-2019 11:55 PM

Hi,

Below is my content of my csv file

Splunk_Backup_Success_Rate
"A table showing the master server, number of backups that were successful and failed, the success rate and total amount processed for each day "
Report Time Frame: Previous 24 Hours
Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)
2019-02-16,dcabak02.dca.com,2278,7,2285,99.69,"8,350.13"
2019-02-17,dcabak02.dca.com,948,1,949,99.89,"8,581.66"
GRAND SUMMARY,-,3226,8,3234,99.75,"16,931.78"
"Report generated on Feb 17, 2019 7:01:39 AM"

I Want to index only these 3 lines
Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)
2019-02-16,dcabak02.dca.com,2278,7,2285,99.69,"8,350.13"
2019-02-17,dcabak02.dca.com,948,1,949,99.89,"8,581.66"

Below is my configuration setting

Transforms.conf
[netbackup]
DELIMS = ","
FIELDS=Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)

props.conf

[netbackup]
DATETIME_CONFIG = CURRENT
FIELD_DELIMITER = ,
INDEXED_EXTRACTIONS = csv
CHECK_FOR_HEADER = true
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = true
REPORT-netbackup = REPORT-netbackup[netbackup]
DATETIME_CONFIG = CURRENT
FIELD_DELIMITER = ,
INDEXED_EXTRACTIONS = csv
CHECK_FOR_HEADER = true
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = true
REPORT-netbackup = REPORT-netbackup

Somehow my data not being indexed into Splunk. Can anyone please tell me whats wrong with the conf

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-17-2019 01:30 PM

What you have is not a CSV file so trying to treat it like one will fail. instead, select the lines you want for indexing and the rest to the null queue.

props.conf:

[netbackup]
SHOULD_LINEMERGE = false
TRANSFORMS-netbackup = netbackup, setnull

transforms.conf:

[netbackup]
REGEX = ^\d\d\d\d-\d\d-\d\d
DEST_KEY = queue
FIELDS=Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Nadhiyaa
Path Finder
‎02-17-2019 11:43 PM

Hi @ richgalloway

I tried but still not able to index.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-19-2019 10:42 AM

How are you trying to find the data (what is your search)?
Consider renaming the fields to remove spaces and special characters. You can rename them back at search time.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...