I am fairly new to splunk so please pardon any beginner's mistakes:
I am trying to setup Splunk to receive csv files via Universal Forwarder on windows 2k3 server and use header of the file to attach fields. I have done following:
On the universal forwarder:
[monitor://c:\some directory]
disabled = false
sourcetype = SBRAccounting
index=sbr
crcSalt =
On the Splunk server where indexer and search head are same, i created a new custom app and the /opt/splunk/etc/apps/SBRAccounting/local, I created props.conf file with following content:
[SBRAccounting]
HEADER_FIELD_LINE_NUMBER = 1
FIELD_DELIMITER = ,
FIELD_QUOTE = "
I see the data coming into Splunk with sourcetype=SBRAccounting and index=sbr but fields are not there.
I created a dummy file on the Splunk server and created inputs.conf file with following to prove props.conf file is configured correctly, and it seems to show field along with the data.
[monitor:///var/tmp/dummy.act]
sourcetype=SBRAccounting
Sample of the data is following:
"field1", "field2", "field3", ... 'field100"
"data1", "data2", "data3",,,,,,,,"data(n)"
"data1", "data2", "data3",,,,,,,,"data(n)"
I feel that data coming in via forwarders is not being passed by my custom apps's props.conf file. I even created an inputs.conf file with following and that didn't work either.
[splunktcp://:7001]
sourcetype=SBRAccounting
I need your help please.
Thanks
... View more