So I copied your data, added commas and suppressed the thousand separators. It looks like this :
Daily Status Splunk
Customizable tabular report of all backup data (size, start time, status code etc) by client. In this report, accelerator optimization, savings, or factor is not considered as part of deduplication optimization, savings, or factor. In all other reports, the deduplication values include accelerator values.
Report Time Frame: Previous 24 Hours
Client Name,Job Duration,Job File Count, Throughput (KB/sec), Job Primary ID, Policy Name, Post Deduplication Size(MB,) Job Status, Storage Unit Name
cpchiisi04.chi.cintas.com,4:31:00,1439,106432,161510,Isilon_SQL_Chi,824210.78,Successful,stu_disk_cpchibk002
cpmasisi04,23:40:57,1595462,55103,952085,Isilon_Common,7455.01,Successful,stu_disk_cpmasbk006
cpmasisi04,24:00:58,1051251,101290,952091,Isilon_Shares,3440.43,Successful,stu_disk_cpmasbk006
cpmasisi04,22:19:14,4180140,59338,952093,Isilon_Shares,1683.77,Successful,stu_disk_cpmasbk006
cpmasisi04,35:13:56,9271112,51439,952095,Isilon_Shares,11470.67,Successful,stu_disk_cpmasbk006
cpmasisi04,9:01:01,0,0,952807,Isilon_SQL,0,Failed,UNKNOWN
crbo042.na.cintas.com,1:05:14,31711314,128426,953499,VMDK_NonProd,7785.33,Successful,stu_disk_cpmasbk007
cdmasalc13.na.cintas.com,0:06:15,328231,636212 953575,VMDK_NonProd,297.52,Successful,stu_disk_cpmasbk007
cpmasisi04,7:04:13,23488,126773,953825,Isilon_SQL,1635803.66,Successful,stu_disk_cpmasbk007
cpmasfs01,1:30:53, 53000,24894,953915,Creative_Marketing,126956,Failed,cpmasbk006-hcart-robot-tld-0
As it appears, the name of the fields is on line 4.
The following sourcetype configuration enables to index the data.
[sourcetype_answer]
DATETIME_CONFIG = CURRENT
HEADER_FIELD_LINE_NUMBER = 4
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
Just a few comments:
I did not use the regex config, as it is not necessary
I did configure the timestamp to be the time of indexation, as there is not info in the file that could be used for this purpose.
I hope this answers your question.
... View more