Getting Data In

Issues ingesting csv through file monitor

Dmikos1271
Explorer

I recently set up a Splunk UF on a Windows server that did not have it. As part of that process I deployed the same deployment client that was used with all the other servers. My only goal for now is to do file monitoring from this specific server and to start I wanted to monitor a file location of a csv. 

The inputs.conf file looks like this:

[default]

host=SERVER1

[monitor://E:\Scripts\S_M\T_I\abipdb.csv]

sourcetype=abipdb-csv

index=abipdbindex

disabled = 0

The outputs.conf file was copied from one of the server locations with a UF that work fine. The events should be forwarding the data to an indexer cluster:

[tcpout]

defaultGroup=indexers_1,indexers_2

[tcpout: indexers_1]

server=10.##.##.##, 10.##.##.##

[tcpout: indexers_2]

server=10.##.##.##, 10.##.##.##

The splunkd.log shows that the above file location was added to watch. I did deploy an app with the new abipdbindex to the indexer cluster and I can see that index in the index list for each indexer (when checking in Splunk Web). I have a props.conf file set up for that sourcetype:

[abipdb-csv]

FIELD_DELIMITER=,

FIELD_NAMES=column1, column2, column3 etc... (column names match the column names in the csv file)

All the above conf files are stored in system\local and there is no other apps set up on this UF. 

However, the index has not ingested any events successfully. What could be set up incorrectly and why is the csv file not being ingested properly?

 

0 Karma
1 Solution

Dmikos1271
Explorer

The issue was resolved by amending the path from an absolute path E:\Scripts\S_M\T_I\abipdb.csv  to E:\Scripts\S_M\T_I\abipdb*.

View solution in original post

0 Karma

Dmikos1271
Explorer

The issue was resolved by amending the path from an absolute path E:\Scripts\S_M\T_I\abipdb.csv  to E:\Scripts\S_M\T_I\abipdb*.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>