Getting Data In

.dat file indexing problem??

rakesh_498115
Motivator

Hi..

I have a .dat file which is not a dat file instead , the extension is saved as .dat . Now i have told splunk to index this file..with the following settings..but i couldnt see tat happening ..

Configuration i have given is..

//inputs.conf

[monitor:///splunkInput/Siebel/TO_SPLUNK.dat]
disabled = false
followTail = 0
index = main
sourcetype = siebel_dat

//props.conf

[siebel_dat]
BREAK_ONLY_BEFORE = \d{2}\-[A-Z]{3}\-\d{2}
LEARN_MODEL = false
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_FORMAT = %d-%b-%y
invalid_cause = binary
is_valid = False
pulldown_type = 1



Platform : Linux 2.6.18-238.el5 
Splunk vesion : splunk-4.3.2-123586-linux-2.6-x86_64.rpm

Can you pls help..wat could be the issue here ??

Tags (2)
0 Karma

grijhwani
Motivator

You have not provided nearly enough information in the question to really posit an answer.

What platform?

What Splunk version?

What is the format of the records to be indexed?

What can you not see happening? How are you trying to observe it?

Besides adding to the configuration files, what processes did you follow to invoke the changes? I am presuming from your karma that you are reasonably well experienced and unlikely to overlook the simple things, but it is worth asking anyway. For instance did you restart Splunk after the configuration change? And for your monitor stanza, is your file path literally as typed, including the mixed use of case, if you are running on a case-sensitive o/s (*nix)?

0 Karma

rakesh_498115
Motivator
0 Karma

rakesh_498115
Motivator

Hmmm thanx grijhwani ..seems like too many questions..ok..let me answer your questions..

platform : Linux 2.6.18-238.el5
Splunk vesion : splunk-4.3.2-123586-linux-2.6-x86_64.rpm
format of the records : its a xml file saved in the extension of dat. it will have the date of the day as starting of the event .so i have defined my props to break at that point.

i have tried restarting splunk and checked the status using trainling process thing..then i found splunk saying "un readable filetype"

and my filepath is correct and it contains the mixed case of letters.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...