Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is INDEXED_EXTRACTIONS=csv not working in props.conf?

ebailey
Communicator
‎10-21-2015 11:16 AM

I have a distributed Splunk instance with the search head separated from the Indexers. I want to drop a CSV file with headers into Splunk and have it extract and match the fields up with the data and create extracted fields. I used the add data wizard to create a props and then deployed the props to the indexer and the search and then restarted both. I created an inputs for the file and then dropped the file to the the right path. I did add a max_lookahead to control which data is used by Splunk as index time.

I can see the data in Splunk, but nothing is being extracted. No interesting fields.

props.conf:

[test_alerts]
MAX_TIMESTAMP_LOOKAHEAD = 36
SHOULD_LINEMERGE=false
INDEXED_EXTRACTIONS=csv
NO_BINARY_CHECK=true
KV_MODE=none
disabled=false
pulldown_type=true

Data sample:

CurrentDate,ApplicationRef,RootApplicationID,credittxStatus,RootStatus,Propert,Customer,Created
"2015-10-13 12:00:00.000000000","2782376730","2234329","Pending","Pending","test-ny","Property Management","09/01/2015 11:48:56"
"2015-10-13 12:05:00.000000000","1461751231","2234336","Pending","Pending","test-ny","Property Management","09/01/2015 11:51:20"

Any ideas?

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-21-2015 11:19 AM

Where is the inputs.conf for the CSV file you're ingesting, in a forwarder OR from Search Head?

View solution in original post

Reply
Solved! Jump to solution

boromir
Path Finder
‎07-28-2021 07:16 AM

Had the same issue with distributed architecture UF/HF/indexers/SH on different machines. Tested with props.conf on all of the machines in order to extract the fields from a CSV source with no header line. Didn't work until we tried the proposed here..... props.conf with CSV configuration on the UF alone. It worked like a charm.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-21-2015 11:19 AM

Where is the inputs.conf for the CSV file you're ingesting, in a forwarder OR from Search Head?

Reply
Solved! Jump to solution

rupendar
Loves-to-Learn
‎05-22-2025 11:48 PM

what do you mean by inputs.conf what should I configure in that file, can you please elaborate ?

0 Karma
Reply
Solved! Jump to solution

chengka
Explorer
‎11-17-2015 12:45 PM

Reviving this thread. I have exactly the same issue as OP. I upgraded the UF to v631 and added a stanza to props.conf, however the events are still not showing any fields. Now I have this same information in the props.conf of the indexer(v630) and the UF(v631). Am I missing something?

[ connections_mq]
SHOULD_LINEMERGE=false
INDEXED_EXTRACTIONS=csv
NO_BINARY_CHECK=true
CHARSET=UTF-8
KV_MODE=none
category=Structured
description=MQ Connections
disabled=false
pulldown_type=true
HEADER_FIELD_LINE_NUMBER=3
MAX_TIMESTAMP_LOOKAHEAD=1

0 Karma
Reply
Solved! Jump to solution

chengka
Explorer
‎11-30-2015 11:04 AM

Ok, my bad. I had a space between the [ and the sourcetype! It works via the UF once I removed the space.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎10-21-2015 11:42 AM

My thought exactly, it's counterintuitive but indexed_extractions=csv needs to be on forwarders even UF's.

Reply
Solved! Jump to solution

stamatoc
Engager
‎06-18-2024 08:56 AM

Thank you a lot for your feedback . Indeed after hours of testing troubleshooting ... I put the props in UF as well and IT WORKED

Tags (2)
0 Karma
Reply
Solved! Jump to solution

ebailey
Communicator
‎10-21-2015 12:29 PM

I am doing some testing - i think you are right. The props needs to be on the UF too. Thanks

0 Karma
Reply
Solved! Jump to solution

ebailey
Communicator
‎10-21-2015 02:55 PM

That is it - putting the props.conf on the UF solved the problem. When to put the props on the UF is a little confusing. @somesoni2 - if you can answer the question I will award you points. Thanks!

0 Karma
Reply
Solved! Jump to solution

Lucas_K
Motivator
‎10-21-2015 03:30 PM

Very rarely do you put a props on a UF. This however is a case where you do.

It would be nice to see the docs.splunk pages for props updated with information regarding what can be used on a forwarder. Had a colleague ask me this exact question yesterday and it doesn't help when official documentation isn't clear on this.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...