Are our ufix events considered by server to be erroneously indicated as CSV type? Is it a problem caused by unquoted space chars or something?
Sample ufix event:
"/opt/splunk/var/lib/splunk/xru/db/db_1531217904_1531166719_2035/rawdata","journal.gz",10.07.18 13:18 ,453815577,0,6E09087F,3,-
Sample ufix_status event:
List creation: 0, prj creation: 0, report creation: 0
splunk/etc/apps/x/local/props.conf:
[ufix]
DATETIME_CONFIG = CURRENT
FIELD_NAMES = directory, filename, date, byte_length, line_length, crc, crc_type, id_crc
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = CSV-report by ФИКС-Unix
disabled = false
pulldown_type = true
[ufix_status]
category = Structured
pulldown_type = 1
EXTRACT-list_status = List creation: (?\d*), prj
EXTRACT-prj_status = prj creation: (?\d*),
EXTRACT-report_status = report creation: (?\d*)
DATETIME_CONFIG = CURRENT
FIELD_NAMES = directory, filename, modify_date, byte_length, line_length, crc, crc_type, id_crc
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
... View more