Splunk Enterprise

Why are my files not all indexed ?

TISKAR
Builder

Hello,

I'm using Splunk Light, being in trial period (max indexation = 5Go/day)

I have 19 files:

r_licencie_temp_1_bis.csv
r_licencie_temp_2_bis.csv
r_licencie_temp_3_bis.csv
r_licencie_temp_4_bis.csv
r_licencie_temp_5_bis.csv
r_licencie_temp_6_bis.csv
r_licencie_temp_7_bis.csv
r_licencie_temp_8_bis.csv
r_licencie_temp_9_bis.csv
r_licencie_temp_10_bis.csv

r_licencie_temp_11_bis.csv

r_licencie_temp_12_bis.csv
r_licencie_temp_13_bis.csv

r_licencie_temp_14_bis.csv

r_licencie_temp_15_bis.csv

r_licencie_temp_16_bis.csv

r_licencie_temp_17_bis.csv

r_licencie_temp_18_bis.csv

The sourcetype in props.conf is as follows:

[R_LICENCIE_TEMP1]
DATETIME_CONFIG =
FIELD_NAMES = LIC_COMPTEUR,BDX_COMPTEUR,LIC_TYPE,IDE_CLEE,LIC_NUMERO_PREC,IDE_CODE,LIC_ERREUR,DIS_CODE,DOJO_CODE,LIC_RENOUV,LIC_DATE,LIC_CODECN,LIC_TOP_COMPTA,LIC_VALIDE,LIC_BASCULEE,IDE_NOM,IDE_PRENOM,IDE_SEXE,IDE_NAISSANCE,ADR_ADRESSE1,ADR_ADRESSE2,ADR_CP,ADR_VILLE,LIC_UTILIS,LIC_DATE_MAJ,LIC_DATE_CREATION,LIC_TYPE_MAJ,LIC_SAISON,LIC_NONDIVULG,LIC_TOP_ASS,LIC_TRANCHE,LIC_A_BASCULER,IDE_CLEE_BIS,IDE_CODE_BIS,LIC_IMPRIMER,LIC_DATE_IMPRESSION,LIC_DATE_COMPTA,LIC_TOP_SIGNLIC2,LIC_TOP_SIGNLIC,ADR_E_MAIL,LIC_TOP_ABONNEMENT,LIC_GARANTIE,FON_CODE,RFN_NIVEAU,CODE_CEINTURE,DATE_CEINTURE,NUM_GSM,NUM_AUT
INDEXED_EXTRACTIONS = csv
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = LIC_DATE,LIC_DATE_MAJ,LIC_DATE_CREATION,LIC_DATE_IMPRESSION,LIC_DATE_COMPTA,DATE_CEINTURE
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N
category = ffjj
description = Table R_LICENCIE_TEMP
pulldown_type = 1
FIELD_DELIMITER = ;
disabled = false
MAX_DAYS_AGO=10951
KV_MODE=auto_escaped

I have configured a stanza as follows in inputs.conf:

[monitor:///home/pc/Bureau/LicencierT5]
disabled = false
index = ffjj
sourcetype = R_LICENCIE_TEMP1

I have moved the 19 files to the input directory and Splunk has indexed only part of. I don't understand why.

After I stopped splunk, I tried to reset the fishbucket index for files where no data has been indexed:

./splunk cmd btprobe -d /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db --file /home/pc/Bureau/LicencierT5/r_licencie_temp_1_bis.csv --reset

When I restart... data are not systematically loaded (even if the daily quota is not reached) and the worse is that I loose some data from files previously successfully loaded.

source="/home/pc/Bureau/LicencierT5/r_licencie_temp_1_bis.csv" host="xxx-Pro-6300-MT" index="ffjj" | stats count

Can you help ?

Tags (1)
0 Karma
1 Solution

realsplunk
Motivator

Try adding crcSalt = SOURCE to your inputs.conf then restart Splunkforwarder

View solution in original post

0 Karma

TISKAR
Builder

Hello:

now I use version splunk Entreprise , and I have the same problem as splunk light and the trick crcSalt = < SOURCE> does not work.

Can you help.

0 Karma

realsplunk
Motivator

Try adding crcSalt = SOURCE to your inputs.conf then restart Splunkforwarder

View solution in original post

0 Karma

TISKAR
Builder

Thank you Merci

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!