Solved: Re: How to get Splunk to index a small 1.5KB CSV f...

vr2312 · ‎05-23-2016

I am trying to make Splunk read/index a CSV that is of 1.5KB.

I have used the traditional CRCSALT=>SOURCE> tag in the inputs.conf, however, that does not seem to work.

Any ideas, how i can make the file read? It is a once a week feed and it does not process the files.

vr2312 · ‎01-31-2017

Using "initCrcLength = XX" in the inputs.conf fixed the issue.

View solution in original post

vr2312 · ‎01-31-2017

Using "initCrcLength = XX" in the inputs.conf fixed the issue.

hardikJsheth · ‎07-12-2016

Please add following stanza for your source type in props.conf on indexer. Without this, Splunk will not index csv file correctly.

[sourcetype]
INDEXED_EXTRACTIONS=CSV

Also if the CSV file is already read, splunk will not re read it without clearing fish bucket. To know more about how to clear fishbucket, refer answer from Yann.https://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html

vr2312 · ‎07-12-2016

[monitor:///Data/scripts/email_listener/logs/username/usernames*.csv]

sourcetype = username
source = username
host = username
index = main
crcSalt = <SOURCE>

somesoni2 · ‎05-23-2016

Are you using batch OR monitor in inputs.conf?

jkat54 · ‎05-23-2016

Should be crcSalt=<SOURCE> capitalization / case sensitivity matters.

Also i think its a typo but there should be a less than sign on left side of SOURCE and greater than sign on right side.

vr2312 · ‎07-12-2016

[monitor:///Data/scripts/email_listener/logs/username/usernames*.csv]

sourcetype = username
source = username
host = username
index = main
crcSalt = <SOURCE>

vr2312 · ‎05-23-2016

Yes. It is a typo. That is what happens when you break your head against such unforeseen issues.

And thus the capslock was ON.

But this did not work. 😞

jkat54 · ‎05-23-2016

Can you post the csv file somewhere like pastebin.com?

If its 1.5KB that means its ~ 1500B which means it has well over 256 characters if in ASCII because each ASCII character = 1Byte on disk. So there's enough data to form a proper CRC salt.

Also if you could provide the inputs.conf and props.conf stanzas for the data source maybe there is a config issue there.

vr2312 · ‎07-12-2016

I am unable to use the crcSalt = [] in the comment box. It is getting invisible.

vr2312 · ‎07-12-2016

@jkat54

Sorry to get back to you on this after a long time.

Inputs.conf :
[monitor:///Data/scripts/email_listener/logs/username/usernames*.csv]
sourcetype = username
source = username
host = username
index = main
crcSalt=

THere is no props.conf created.

Also assume the CSV contains numbers in one single column. Contains random numbers for around 132 rows.

jkat54 · ‎07-12-2016

put the 'code' in codeblocks. Highlight it and click the 101010 button.

This will make

 crcSalt=<SOURCE>

show up

How to get Splunk to index a small 1.5KB CSV file?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases