How to configure Splunk to read a csv file sent fr...

chadman · ‎12-16-2014

Hello! I'm new to Splunk and trying to setup a proof of how Splunk could read log files from an application I wrote that monitors system health. Currently this application stores log files in a csv format locally on the workstation. I'm trying to get Splunk forwarder to send the csv files to our Splunk indexer and read these files. How can I have Splunk see the csv format when I do my searches? Here is what I have done, but it's not working. Can I even use wildcards like I have done below? I have these setup on the Splunk server.
Props.conf
[logs_csv]
source=c:\Program Files\EJSysCheck\Logs*
sourcetype = *_EJLog

[logs_csv]
DELIMS=","
FEILDS="Date","Eth1 IP","Eth1 Status","Wireless IP","Wireless Status","TunnelIP","Tunnel Status","Jorp","Idle Time","Lock Status","Available Disk Space Gigs","Available Memory Megs","System Uptime","CPU","RA Image","Tunnel Connection","Ping Google","Time to Ping Google","Ping Internal","Time to Ping Internal"

Ayn · ‎12-16-2014

It seems you've got the syntax wrong for the conf files. source and sourcetype aren't valid configuration directives in props.conf.

You can't have the indexer read a CSV from a remote workstation. The only way to get the CSV into Splunk, using Splunk's own mechanisms, is by adding a file monitor for it on the forwarder which will then forward it to the indexer which in turn will index that data.

chadman · ‎12-16-2014

Ayn, Thanks! I do have the forwarder working and it's sending data to the indexer. When I do a search each event shows up as a long csv string instead of breaking it up into fields. I'm trying to setup the indexer to break up the csv files that start with *_EJLog in a

How to configure Splunk to read a csv file sent from a forwarder?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk