Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Inconsistent sourcetype while indexing CSV files

erga00
Path Finder
‎06-25-2010 08:48 PM

I'm indexing a CSV file and I just can't get Splunk to extract any fields or apply the proper sourcetype to the events. The desired sourcetype is acs and what I'm getting is acs-n where is some number which varies, acs-1, acs-2, etc.

I saw another answer about this issue which basically stated that it had something to do with the functionality that automatically parses field names from the header. I don't have CHECK_FOR_HEADER = true and I specify the sourcetype in the inputs.conf stanza so I don't understand what's going on.

I should mention that I have another CSV file being indexed using the same procedure as below and it works perfectly.

Has anyone run into this before?

input file:
Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,NAS-Port,NAS-IP-Address
04/03/2010,00:00:00,Authen OK,c1tr1x_wds,Network Services,0004.235f.4c1c,c1tr1x_wds,10.6.70.

inputs.conf:
[monitor://\server\logs]
sourcetype = acs
_whitelist = Failed Attempts.*.csv

props.conf:
[acs]
REPORT-acs-fail = acs-fail-fields

transforms.conf:
[acs-fail-fields]
FIELDS = "date", "time", "message-type", "user", "user_group", "message", "junk1", "junk2", "src_mac", "nas-port", "src_ip"
DELIMS = ","

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎06-25-2010 10:53 PM

This is the fallout from CHECK_FOR_HEADER.

There's a bug where CHECK_FOR_HEADER is applied based on filename pattern, despite not being in your sourcetype. You might be able to work around by declaring CHECK_FOR_HEADER = false explicitly in your sourcetype, or by declaring [source::.../Failed Attempts.*.csv] sourcetype=acs in props.conf, especially if you set a priority value of eg 100.

The bug is due for fixing in 4.1.4, which will be a few weeks -- we're verifying bugs as fast as we can.

View solution in original post

Reply
Solved! Jump to solution

erga00
Path Finder
‎06-28-2010 03:08 PM

Yes. This is on a forwarder.

I thought I was setting an explicit sourcetype. Am I not understanding what that means?

0 Karma
Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎06-25-2010 10:53 PM

This is the fallout from CHECK_FOR_HEADER.

There's a bug where CHECK_FOR_HEADER is applied based on filename pattern, despite not being in your sourcetype. You might be able to work around by declaring CHECK_FOR_HEADER = false explicitly in your sourcetype, or by declaring [source::.../Failed Attempts.*.csv] sourcetype=acs in props.conf, especially if you set a priority value of eg 100.

The bug is due for fixing in 4.1.4, which will be a few weeks -- we're verifying bugs as fast as we can.

Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎03-04-2011 11:47 PM

The expansion of the sourcetype into multiple sourcetypes allows the system to store the list of fields on a per-file basis, since there's no guarantee it doesn't change. Why the first one is -2, instead of nothing or -1, is some minor internal misbehavior that doesn't really change the situation, since you'll get multiple sourcetypes eventually. This behavior forces you to account for multiple sourcetypes in your searches manually, by eg folding them back together using eval and such. It's a pain.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎03-04-2011 10:40 PM

fwiw something similar is happening to me on 4.1.6. But I do need CHECK_FOR_HEADER, so maybe I'm out of luck. Are there docs about what the "-2" suffixes are trying to do for me?

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎06-28-2010 06:23 PM

In the dumbest possible case, you can either disable the [source::....csv] sourcetype=csv stanza, or turn off CHECK_FOR_HEADER for the [csv] sourcetype stanza. Obviously these approaches are a bit more intrusive.

0 Karma
Reply
Solved! Jump to solution

erga00
Path Finder
‎06-28-2010 03:11 PM

Neither explicitly setting CHECK_FOR_HEADER=false or declaring [source::.../Failed Attempts.*.csv] with priority = 100 worked.

Thanks for the help. I'll open a support case and see if they can track it down.

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎06-25-2010 09:01 PM

Are you doing any forwarding? I believe that CHECK_FOR_HEADER doesn't work right when forwarders are involved. (I could be wrong about that.) I've always ended up making explicit sourcetypes rather than relying on CHECK_FOR_HEADER, for whatever that's worth.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...