1) I have a input file which looks like below:
dc10splunksrch01:/opt/splunk/etc/apps/sfapp_all_zbx/lookups # head ZbxDailyReport.csv
host,hostname,alertname,alertstatus,alertseverity,alertdate
"prodmail2a","prodmail2a","Mail queue greater than 6000 on prodmail2a, current queue: 8051","OK","Information","Fri Sep 25 08:06:59 2015"
"prodmail2a","prodmail2a","Mail queue greater than 8000 on prodmail2a, current queue: 8051","Problem","high","Fri Sep 25 08:06:59 2015"
"pcwebp01n01.ams2.sf.priv","pcwebp01n01.ams2.sf.priv","pcwebp01n01.ams2.sf.priv /var Space Low (Total=1.94 GB, %Used=70.56 %)","Problem","Information","Fri Sep 25 08:09:32 2015"
"pcwebp01n01.ams2.sf.priv","pcwebp01n01.ams2.sf.priv","pcwebp01n01.ams2.sf.priv /var Space Low (Total=1.94 GB, %Used=70.56 %)","OK","average","Thu Sep 24 16:03:44 2015"
"scm001.ams2.sf.priv","scm001.ams2.sf.priv","CPU Load > 90%, Idle < 5% - scm001.ams2.sf.priv: Idle=56.49 %, Load=7.32, CPU.count=1","OK","high","Fri Sep 25 07:05:30 2015"
2) I am indexing it using the inputs.conf, props.conf, and transforms.conf like below.
dc10splunksrch01:/opt/splunk/etc/apps/sfapp_all_zbx/local # cat inputs.conf
[monitor:///opt/splunk/etc/apps/sfapp_all_zbx/lookups/ZbxDailyReport.csv]
disabled = false
followTail = 0
sourcetype=zbxAlertReport
index=dc10_oss
dc10splunksrch01:/opt/splunk/etc/apps/sfapp_all_zbx/local # cat transforms.conf
[zbxAlertReport]
filename = ZbxDailyReport.csv
dc10splunksrch01:/opt/splunk/etc/apps/sfapp_all_zbx/local # cat props.conf
[zbxAlertReport]
TRANSFORMS-index-oss = route-index-oss
3) But its not getting indexed properly. In one line I am getting multiple records in some cases. Please refer to the screen shot. How to get them indexed correctly each line of CSV file as one line in Splunk?
4) How can I cluster same alertnames together irrespective of hostname since the alertname has hostname in it first. I need to get rid of hostname in the alert name and then group the alertname together.
Note: hostname doesn't come in a particular place in the alertname.
... View more