Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

step by step, adding a new csv datasource

agthurber
Explorer
‎08-22-2011 05:05 PM

I'm was missing something really simple when trying to set up a new datasource, so i put these steps together as i followed the documentation and hope they can help someone out. If I got anything wrong please correct me but this is how i got it working for my needs

step 1: create the index "myindex", i am doing this from inside of the splunk GUI, give it a name and click save

Step 2: stop splunk so i can manually edit/create the conf files needed to perform the desired functions

step 3: create/append $SPLUNK_HOME/etc/apps/search/local/inputs.conf with the following values

[monitor://$SPLUNK_HOME/input/myfile.csv]
host=myhost
source=mysource
sourcetype=mysourcetype
index=myindex

step 4: create/append $SPLUNK_HOME/etc/apps/search/local/props.conf

[source::mysource]
REPORT-mysource = mysource_csv

step 5: create/append $SPLUNK_HOME/etc/apps/search/local/transforms.conf

[mysource_csv]
DELIMS = ","
FIELDS = "field1","field2","field3","field4","field5"

step 6: start splunk and look for indexed data and fields

Reply
1 Solution
Solved! Jump to solution
Solution

agthurber
Explorer
‎08-22-2011 07:40 PM

got it to work, looks like i was having trouble locating the source after my initial experiments, so it was a simple mistake, but it was hard to find the cause, there was no obvious signs in the logs and no alerts popped up saying there was a problem finding the input file. Probably just a nubie issue but it would be nice to get some more feedback from splunk while trying to create the configurations needed to get the logs in.

hope this helps someone else along the way.

View solution in original post

Reply
Solved! Jump to solution
Solution

agthurber
Explorer
‎08-22-2011 07:40 PM

got it to work, looks like i was having trouble locating the source after my initial experiments, so it was a simple mistake, but it was hard to find the cause, there was no obvious signs in the logs and no alerts popped up saying there was a problem finding the input file. Probably just a nubie issue but it would be nice to get some more feedback from splunk while trying to create the configurations needed to get the logs in.

hope this helps someone else along the way.

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...