Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

CSV file Indexing issue

Nadhiyaa
Path Finder
‎02-16-2019 11:55 PM

Hi,

Below is my content of my csv file

Splunk_Backup_Success_Rate
"A table showing the master server, number of backups that were successful and failed, the success rate and total amount processed for each day "
Report Time Frame: Previous 24 Hours
Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)
2019-02-16,dcabak02.dca.com,2278,7,2285,99.69,"8,350.13"
2019-02-17,dcabak02.dca.com,948,1,949,99.89,"8,581.66"
GRAND SUMMARY,-,3226,8,3234,99.75,"16,931.78"
"Report generated on Feb 17, 2019 7:01:39 AM"

I Want to index only these 3 lines
Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)
2019-02-16,dcabak02.dca.com,2278,7,2285,99.69,"8,350.13"
2019-02-17,dcabak02.dca.com,948,1,949,99.89,"8,581.66"

Below is my configuration setting

Transforms.conf
[netbackup]
DELIMS = ","
FIELDS=Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)

props.conf

[netbackup]
DATETIME_CONFIG = CURRENT
FIELD_DELIMITER = ,
INDEXED_EXTRACTIONS = csv
CHECK_FOR_HEADER = true
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = true
REPORT-netbackup = REPORT-netbackup[netbackup]
DATETIME_CONFIG = CURRENT
FIELD_DELIMITER = ,
INDEXED_EXTRACTIONS = csv
CHECK_FOR_HEADER = true
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = true
REPORT-netbackup = REPORT-netbackup

Somehow my data not being indexed into Splunk. Can anyone please tell me whats wrong with the conf

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-17-2019 01:30 PM

What you have is not a CSV file so trying to treat it like one will fail. instead, select the lines you want for indexing and the rest to the null queue.

props.conf:

[netbackup]
SHOULD_LINEMERGE = false
TRANSFORMS-netbackup = netbackup, setnull

transforms.conf:

[netbackup]
REGEX = ^\d\d\d\d-\d\d-\d\d
DEST_KEY = queue
FIELDS=Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Nadhiyaa
Path Finder
‎02-17-2019 11:43 PM

Hi @ richgalloway

I tried but still not able to index.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-19-2019 10:42 AM

How are you trying to find the data (what is your search)?
Consider renaming the fields to remove spaces and special characters. You can rename them back at search time.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...