I've installed UF on a Windows 2012 R2 server and created a directory monitor via the inputs.conf file at C:\Program Files\SplunkUniversalForwarder\etc\system\local. A scheduled script drops a CSV into the monitored directory on a routine basis and Splunk indexes the data. The problem I'm having is that Splunk is not indexing everything in the CSV and the data that is skipped appears to be random.
I've tested cscSalt = and I've checked the data for any weird timestamps that may be parsed, but it's an unmodified CSV and Splunk seems to be splitting events appropriately. I've been browsing Splunk Answers for a few hours and haven't had any luck.
Does anyone have any ideas here? I've copied the monitor stanza below.
[monitor://C:\Security\Logs\MessageTrace]
disabled=false
index=o365
host=o365_custom
source=o365_MessageTrace
crcSalt = <SOURCE>
... View more