Knowledge Management

The data from my previous download are no more available for search! How can I solve it ?

idrissfofana
Explorer

I'm using splunk enterprise trial version 6.6.1. After downloading a first csv file F1, I successively my searchs; but after dowloading another file F2, It becomes impossible to search and get F1 data.
any explanation ?
could someone help me ?
thanks

Tags (1)
0 Karma
1 Solution

idrissfofana
Explorer

It is resolved.
I just restarted my laptop and everything is ok.
Maybe It was because I didn't restarted my laptop since splunk installation.

anyway, thanks for your assistance.

View solution in original post

idrissfofana
Explorer

It is resolved.
I just restarted my laptop and everything is ok.
Maybe It was because I didn't restarted my laptop since splunk installation.

anyway, thanks for your assistance.

DalJeanis
SplunkTrust
SplunkTrust

Thanks for letting us know. Happy splunking!

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Please describe, step by step, how you downloaded the information and ingested it into splunk, and how you were searching for it. There are dozens of ways that you could do this.

Did you put it into an index? If so, then the data should not disappear just due to loading more data into the same index (or a different one).

Or did you upload it to a csv file on the host and use | inputcsv F1.csv or | inputlookup F1.csv to bring in the records? If you were uploading it into a csv file, then you need to understand the syntax for adding another csv file into the same search.

| inputcsv F1.csv | inputcsv append=t F2.csv

Give us the exact details of how you got the data in the first time, and we may be able to figure out what is missing in your method.

richgalloway
SplunkTrust
SplunkTrust

It would help to know how you are searching for F1, but source=F1 should find it.

---
If this reply helps you, Karma would be appreciated.
0 Karma

idrissfofana
Explorer

I've done it : source = F1 and the stats count = 0

0 Karma

idrissfofana
Explorer

I've done it : source = F1 and the stats count = 0

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What is your query? Feel free to replace confidential information.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...