Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does the data gets truncated with csv ingestion?

vaneet
Explorer
‎11-27-2020 03:51 PM

Hi,

When I am ingesting a csv file to splunk cloud, few events gets truncated from the file. How to resolve this?

sourcetype=csv

I have used forwarder level props.conf 

[csv]

INDEXED_EXTRACTIONS=csv

Labels (1)
Labels
Tags (3)
0 Karma
Reply

vaneet
Explorer
‎12-01-2020 01:29 PM

vaneet_0-1606857851171.png

 

This was one of the event which only has year and rest of the data is not there ,,,other part of data is in separate event . Every time its happing with 7-8 events from a file of 800 events.

0 Karma
Reply

vaneet
Explorer
‎12-01-2020 11:03 AM

timeStamp,label,responseCode,Hostname
2020/10/29 19:14:12,3 /xxxxxx,302,xxxxxxxx
2020/10/29 19:14:15,Forgot your ID or password?,200,xxxxxxxx
2020/10/29 19:14:19,Signup for free,200,xxxxxxxxxx
2020/10/29 19:14:23,3 /xxxxxxxxxx,302,xxxxxxxxx

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-01-2020 12:18 PM

Thanks for the sample data.

This is the second time you've ignored my question about where the events are truncated.  We need to know more about the problem to understand what may be going wrong.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vaneet
Explorer
‎12-01-2020 07:35 AM

Below is the inputs:

[monitor://path]
index = xyz
sourcetype = csv
disabled = false

We also tried to add props at the indexing tier but results were same.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-01-2020 10:30 AM

Where are the events truncated?  Is it after a certain length, a certain field, a certain character, or something else?

Can you share the first few lines of a sample file?  Sanitize as needed, but please don't ruin the context.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vaneet
Explorer
‎11-30-2020 06:11 PM

1. events are getting truncated and not dropped. Events are small 

timeStamp,label,responseCode,Hostname

file size is 80 kb

2. Using a Universal forwarder

 

3. 

I have used forwarder level props.conf 

[csv]

INDEXED_EXTRACTIONS=csv

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-01-2020 06:19 AM

Where are events truncated?

That props.conf should be on the indexer (or heavy forwarder, if the CSV passes through one) rather than the UF.

Please share the inputs.conf settings for the CSV.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-27-2020 05:08 PM

Much more information is needed.

Define "few".  Are events getting truncated or are events being dropped?  How big are the events?  How big is the file?

Which type of forwarder are you using?

Do you have any custom props.conf settings?  If so, what are they and where are they placed?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...