Splunk Cloud Platform

Why does the data gets truncated with csv ingestion?

vaneet
Explorer

Hi,

When I am ingesting a csv file to splunk cloud, few events gets truncated from the file. How to resolve this?

sourcetype=csv

I have used forwarder level props.conf 

[csv]

INDEXED_EXTRACTIONS=csv

Labels (1)
Tags (3)
0 Karma

vaneet
Explorer

vaneet_0-1606857851171.png

 

This was one of the event which only has year and rest of the data is not there ,,,other part of data is in separate event . Every time its happing with 7-8 events from a file of 800 events.

0 Karma

vaneet
Explorer

timeStamp,label,responseCode,Hostname
2020/10/29 19:14:12,3 /xxxxxx,302,xxxxxxxx
2020/10/29 19:14:15,Forgot your ID or password?,200,xxxxxxxx
2020/10/29 19:14:19,Signup for free,200,xxxxxxxxxx
2020/10/29 19:14:23,3 /xxxxxxxxxx,302,xxxxxxxxx

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thanks for the sample data.

This is the second time you've ignored my question about where the events are truncated.  We need to know more about the problem to understand what may be going wrong.

---
If this reply helps you, Karma would be appreciated.
0 Karma

vaneet
Explorer

Below is the inputs:

[monitor://path]
index = xyz
sourcetype = csv
disabled = false

We also tried to add props at the indexing tier but results were same.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Where are the events truncated?  Is it after a certain length, a certain field, a certain character, or something else?

Can you share the first few lines of a sample file?  Sanitize as needed, but please don't ruin the context.

---
If this reply helps you, Karma would be appreciated.
0 Karma

vaneet
Explorer

1. events are getting truncated and not dropped. Events are small 

timeStamp,label,responseCode,Hostname

file size is 80 kb

2. Using a Universal forwarder

 

3. 

I have used forwarder level props.conf 

[csv]

INDEXED_EXTRACTIONS=csv

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Where are events truncated?

That props.conf should be on the indexer (or heavy forwarder, if the CSV passes through one) rather than the UF.

Please share the inputs.conf settings for the CSV.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Much more information is needed.

Define "few".  Are events getting truncated or are events being dropped?  How big are the events?  How big is the file?

Which type of forwarder are you using?

Do you have any custom props.conf settings?  If so, what are they and where are they placed?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...