- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- csv with headers processing
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
csv with headers processing
Hi,
Trying (still) to get delimted files properly handled by Splunk, with automatic failed extraction. I followed the directions on this link - http://answers.splunk.com/answers/29418/step-by-step-adding-a-new-csv-datasource - which seem very straighfoward. One difference is that my files are pipe (|) delimited. When I start splunk, I get a bunch of the following:
ossible typo in stanza [snmpinfo-87] in /apps/splunk/splunk/etc/apps/learned/local/props.conf, line 1158: DELIMS = "|"
Possible typo in stanza [snmpinfo-88] in /apps/splunk/splunk/etc/apps/learned/local/props.conf, line 1170: DELIMS = "|"
Possible typo in stanza [snmpinfo-89] in /apps/splunk/splunk/etc/apps/learned/local/props.conf, line 1182: DELIMS = "|"
Possible typo in stanza [snmpinfo-90] in /apps/splunk/splunk/etc/apps/learned/local/props.conf, line 1194: DELIMS = "|"
Possible typo in stanza [snmpinfo-91] in /apps/splunk/splunk/etc/apps/learned/local/props.conf, line 1206: DELIMS = "|"
WARN IniFile - /apps/splunk/splunk/etc/system/local/props.conf, line 10: Cannot parse into key-value pair: REPORT-mysource snmp_csv
Does anyone have any suggestions? This is really frustrating me. My files are such:
inputs:
[monitor:///usr/local/nsmutils/export/current/]
index=perfstats
sourcetype=snmpinfo
followTail = 0
blacklist = .csv
crcSalt =
initCrcLength = 500
props:
[source::snmpinfo]
REPORT-mysource snmp_csv
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = FALSE
KV_MODE = none
CHECK_FOR_HEADER = TRUE
NO_BINARY_CHECK = 1
TIME_FORMAT = %s
SHOULD_LINEMERGE = false
TIME_PREFIX = ^"
TZ = US/Eastern
transforms:
[smp_csv]
DELIMS = "|"
FIELDS = "ATime","aItemId","aintMfName","ametric","avalue","amfDisplayName","adevice","acomponentName"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Three things:
- You have the wrong syntax in props.conf.
REPORT-mysource snmp_csvis missing an equals sign - it should beREPORT-mysource = snmp_csv. - You have a typo in transforms.conf - you refer to
snmp_csvin props.conf but the transform is calledsmp_csv. - I think you've confused source with sourcetype.
snmpinfois the sourcetype, not the source, so when you say[source::snmpinfo]in props.conf, this won't match any events and your settings will not be applied no matter how correct they are. Your stanza should read just[snmpinfo]instead.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It definitely can. Those warnings are not from your settings, they are from other config files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the help. I made those adjustments, but I'm still getting the same errors. Can splunk handle a pipe as a delimiter?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
