I have a distributed Splunk instance with the search head separated from the Indexers. I want to drop a CSV file with headers into Splunk and have it extract and match the fields up with the data and create extracted fields. I used the add data wizard to create a props and then deployed the props to the indexer and the search and then restarted both. I created an inputs for the file and then dropped the file to the the right path. I did add a max_lookahead to control which data is used by Splunk as index time.
I can see the data in Splunk, but nothing is being extracted. No interesting fields.
[test_alerts] MAX_TIMESTAMP_LOOKAHEAD = 36 SHOULD_LINEMERGE=false INDEXED_EXTRACTIONS=csv NO_BINARY_CHECK=true KV_MODE=none disabled=false pulldown_type=true
CurrentDate,ApplicationRef,RootApplicationID,credittxStatus,RootStatus,Propert,Customer,Created "2015-10-13 12:00:00.000000000","2782376730","2234329","Pending","Pending","test-ny","Property Management","09/01/2015 11:48:56" "2015-10-13 12:05:00.000000000","1461751231","2234336","Pending","Pending","test-ny","Property Management","09/01/2015 11:51:20"
Had the same issue with distributed architecture UF/HF/indexers/SH on different machines. Tested with props.conf on all of the machines in order to extract the fields from a CSV source with no header line. Didn't work until we tried the proposed here..... props.conf with CSV configuration on the UF alone. It worked like a charm.
Reviving this thread. I have exactly the same issue as OP. I upgraded the UF to v631 and added a stanza to props.conf, however the events are still not showing any fields. Now I have this same information in the props.conf of the indexer(v630) and the UF(v631). Am I missing something?
That is it - putting the props.conf on the UF solved the problem. When to put the props on the UF is a little confusing. @somesoni2 - if you can answer the question I will award you points. Thanks!
Very rarely do you put a props on a UF. This however is a case where you do.
It would be nice to see the docs.splunk pages for props updated with information regarding what can be used on a forwarder. Had a colleague ask me this exact question yesterday and it doesn't help when official documentation isn't clear on this.