Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

CSV file Indexing issue

Nadhiyaa
Path Finder
‎02-16-2019 11:55 PM

Hi,

Below is my content of my csv file

Splunk_Backup_Success_Rate
"A table showing the master server, number of backups that were successful and failed, the success rate and total amount processed for each day "
Report Time Frame: Previous 24 Hours
Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)
2019-02-16,dcabak02.dca.com,2278,7,2285,99.69,"8,350.13"
2019-02-17,dcabak02.dca.com,948,1,949,99.89,"8,581.66"
GRAND SUMMARY,-,3226,8,3234,99.75,"16,931.78"
"Report generated on Feb 17, 2019 7:01:39 AM"

I Want to index only these 3 lines
Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)
2019-02-16,dcabak02.dca.com,2278,7,2285,99.69,"8,350.13"
2019-02-17,dcabak02.dca.com,948,1,949,99.89,"8,581.66"

Below is my configuration setting

Transforms.conf
[netbackup]
DELIMS = ","
FIELDS=Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)

props.conf

[netbackup]
DATETIME_CONFIG = CURRENT
FIELD_DELIMITER = ,
INDEXED_EXTRACTIONS = csv
CHECK_FOR_HEADER = true
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = true
REPORT-netbackup = REPORT-netbackup[netbackup]
DATETIME_CONFIG = CURRENT
FIELD_DELIMITER = ,
INDEXED_EXTRACTIONS = csv
CHECK_FOR_HEADER = true
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = true
REPORT-netbackup = REPORT-netbackup

Somehow my data not being indexed into Splunk. Can anyone please tell me whats wrong with the conf

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-17-2019 01:30 PM

What you have is not a CSV file so trying to treat it like one will fail. instead, select the lines you want for indexing and the rest to the null queue.

props.conf:

[netbackup]
SHOULD_LINEMERGE = false
TRANSFORMS-netbackup = netbackup, setnull

transforms.conf:

[netbackup]
REGEX = ^\d\d\d\d-\d\d-\d\d
DEST_KEY = queue
FIELDS=Period,Node Name,Successful Jobs,Failed Jobs,Total Job Count,Success Rate (%),Size(GB)

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Nadhiyaa
Path Finder
‎02-17-2019 11:43 PM

Hi @ richgalloway

I tried but still not able to index.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-19-2019 10:42 AM

How are you trying to find the data (what is your search)?
Consider renaming the fields to remove spaces and special characters. You can rename them back at search time.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...

Stay Connected: Your Guide to August Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Unleash the Power of Splunk MCP and AI, Meet Us at .Conf 2025, and Find Even More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top