I'm getting data from forwarders that are polling a CSV file. However the fields from the CSV are not being extracted. The file contents look something like: "FieldOne","FieldsTwo","FieldThree","FieldFour".
On the deploy server I have configured an app that gets deployed to all of the indexers and forwarders and the data is indexed into a new sourcetype and a new index. Following are the configurations that are deployed to the indexers and forwarders:
[monitor://D:\Program Files (x86)\reports\splunk\lists.csv] disabled = false followTail = 0 index = lists sourcetype = lists:reports
[source::D:\Program Files (x86)\reports\splunk\lists.csv] [lists:reports] FIELD_DELIMITER=, FIELD_QUOTE = " DATETIME_CONFIG = CURRENT INDEXED_EXTRACTIONS = csv NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = false
I didn't configure a transforms.conf file. Thanks for your help!
I recently had this same problem. The way I fixed it was by removing the FIELDDELIMITER argument. I don't think it's something that you need since you're already defining what the delimiter is with 'INDEXEDEXTRACTIONS = csv'.
This behavior could be a bug or an intended feature of the configuration. FIELDDELIMITER, I believe, is designed to allow the use of additional special characters in the event that one of the default INDEXEDEXTRACTIONS values aren't what your data supports.