- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: .dat file indexing problem??
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
.dat file indexing problem??
Hi..
I have a .dat file which is not a dat file instead , the extension is saved as .dat . Now i have told splunk to index this file..with the following settings..but i couldnt see tat happening ..
Configuration i have given is..
//inputs.conf
[monitor:///splunkInput/Siebel/TO_SPLUNK.dat]
disabled = false
followTail = 0
index = main
sourcetype = siebel_dat
//props.conf
[siebel_dat]
BREAK_ONLY_BEFORE = \d{2}\-[A-Z]{3}\-\d{2}
LEARN_MODEL = false
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_FORMAT = %d-%b-%y
invalid_cause = binary
is_valid = False
pulldown_type = 1
Platform : Linux 2.6.18-238.el5
Splunk vesion : splunk-4.3.2-123586-linux-2.6-x86_64.rpm
Can you pls help..wat could be the issue here ??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have not provided nearly enough information in the question to really posit an answer.
What platform?
What Splunk version?
What is the format of the records to be indexed?
What can you not see happening? How are you trying to observe it?
Besides adding to the configuration files, what processes did you follow to invoke the changes? I am presuming from your karma that you are reasonably well experienced and unlikely to overlook the simple things, but it is worth asking anyway. For instance did you restart Splunk after the configuration change? And for your monitor stanza, is your file path literally as typed, including the mixed use of case, if you are running on a case-sensitive o/s (*nix)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
trailing process link i have used is
https://myserver:8090/en-US/services/admin/inputstatus/TailingProcessor%3AFileStatus
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmmm thanx grijhwani ..seems like too many questions..ok..let me answer your questions..
platform : Linux 2.6.18-238.el5
Splunk vesion : splunk-4.3.2-123586-linux-2.6-x86_64.rpm
format of the records : its a xml file saved in the extension of dat. it will have the date of the day as starting of the event .so i have defined my props to break at that point.
i have tried restarting splunk and checked the status using trainling process thing..then i found splunk saying "un readable filetype"
and my filepath is correct and it contains the mixed case of letters.
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
