Solved: Re: Why is INDEXED_EXTRACTIONS=csv not working in ...

ebailey · ‎10-21-2015

I have a distributed Splunk instance with the search head separated from the Indexers. I want to drop a CSV file with headers into Splunk and have it extract and match the fields up with the data and create extracted fields. I used the add data wizard to create a props and then deployed the props to the indexer and the search and then restarted both. I created an inputs for the file and then dropped the file to the the right path. I did add a max_lookahead to control which data is used by Splunk as index time.

I can see the data in Splunk, but nothing is being extracted. No interesting fields.

props.conf:

[test_alerts]
MAX_TIMESTAMP_LOOKAHEAD = 36
SHOULD_LINEMERGE=false
INDEXED_EXTRACTIONS=csv
NO_BINARY_CHECK=true
KV_MODE=none
disabled=false
pulldown_type=true

Data sample:

CurrentDate,ApplicationRef,RootApplicationID,credittxStatus,RootStatus,Propert,Customer,Created
"2015-10-13 12:00:00.000000000","2782376730","2234329","Pending","Pending","test-ny","Property Management","09/01/2015 11:48:56"
"2015-10-13 12:05:00.000000000","1461751231","2234336","Pending","Pending","test-ny","Property Management","09/01/2015 11:51:20"

Any ideas?

somesoni2 · ‎10-21-2015

Where is the inputs.conf for the CSV file you're ingesting, in a forwarder OR from Search Head?

View solution in original post

boromir · ‎07-28-2021

Had the same issue with distributed architecture UF/HF/indexers/SH on different machines. Tested with props.conf on all of the machines in order to extract the fields from a CSV source with no header line. Didn't work until we tried the proposed here..... props.conf with CSV configuration on the UF alone. It worked like a charm.

somesoni2 · ‎10-21-2015

Where is the inputs.conf for the CSV file you're ingesting, in a forwarder OR from Search Head?

chengka · ‎11-17-2015

Reviving this thread. I have exactly the same issue as OP. I upgraded the UF to v631 and added a stanza to props.conf, however the events are still not showing any fields. Now I have this same information in the props.conf of the indexer(v630) and the UF(v631). Am I missing something?

[ connections_mq]
SHOULD_LINEMERGE=false
INDEXED_EXTRACTIONS=csv
NO_BINARY_CHECK=true
CHARSET=UTF-8
KV_MODE=none
category=Structured
description=MQ Connections
disabled=false
pulldown_type=true
HEADER_FIELD_LINE_NUMBER=3
MAX_TIMESTAMP_LOOKAHEAD=1

chengka · ‎11-30-2015

Ok, my bad. I had a space between the [ and the sourcetype! It works via the UF once I removed the space.

sideview · ‎10-21-2015

My thought exactly, it's counterintuitive but indexed_extractions=csv needs to be on forwarders even UF's.

ebailey · ‎10-21-2015

I am doing some testing - i think you are right. The props needs to be on the UF too. Thanks

ebailey · ‎10-21-2015

That is it - putting the props.conf on the UF solved the problem. When to put the props on the UF is a little confusing. @somesoni2 - if you can answer the question I will award you points. Thanks!

Lucas_K · ‎10-21-2015

Very rarely do you put a props on a UF. This however is a case where you do.

It would be nice to see the docs.splunk pages for props updated with information regarding what can be used on a forwarder. Had a colleague ask me this exact question yesterday and it doesn't help when official documentation isn't clear on this.

Why is INDEXED_EXTRACTIONS=csv not working in props.conf?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!