Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

CSV File Upload via GUI Interface

rkrevat
New Member
‎06-27-2017 05:54 AM

From the Home section, I click on the "Add Data" icon, and upload a CSV file through this interface. Everything is going fine, Splunk shows me a preview of my data, I continue with the upload, and then I receive the message that my file successfully uploaded. However, when I go to the Datasets tab, there is nothing there; when I click on the Data Summary button within the Search section, there is no data. I have set my search parameters to "All Time". I notice that there are a few other similar questions with similar issues in this community; however, these questions all seem to do with users using code to upload their files-- I am just using the simple GUI interface to upload files, from the home page. Why is Splunk not seeing my csv file?

Tags (1)
0 Karma
Reply

rkrevat
New Member
‎06-28-2017 07:03 AM

Thank you so much for taking the time to provide me with such a detailed response, niketnilay. So I followed your instructions, and I changed the name of the file, as well as created a new index, and when I clicked on "Start Searching", my file came up; this is the furthest that I have advanced so far in this seemingly Quixotic quest! However, when I go to the Data Summary tab, nothing comes up:
alt text

Preview file
1 KB
0 Karma
Reply

niketn
Legend
‎06-28-2017 12:24 PM

So were you able to query data in the file you uploaded? I noticed that your event timestamp was 2016 and not 2017, was that intentional or typo? Have you tried with more recent timestamp? Also did you make sure that splunk app, sourcetype ad index are chosen properly?

If there is an issue with your indexes you might have to have Splunk Admin or Splunk Support look into it.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎06-27-2017 11:45 PM

@rkrevat, I was able to upload above data to Splunk's default index i.e. index=main via default Search & Reporting App.

alt text
alt text

Can you try adding to default index (main) or else try to create a new index (just define the max size while adding the data, leave others to be default)? This way whether there is any event in the index will confirm whether your data got added successfully or not.

Have you tried renaming the file while uploading and also changing the timestamp field to more recent date?

Following is the custom sourcetype settings I defined while adding the file (PS: Name of App should remain the same as the App where Data is being added.

[user_session_csv]
SHOULD_LINEMERGE=false
NO_BINARY_CHE
CK=true
CHARSET=AUTO
INDEXED_EXTRACTIONS=csv
KV_MODE=none
category=Structured
description=Comma-separated value format. Set header and other settings in "Delimited Settings". User Session CSV Log
disabled=false
pulldown_type=true
TIMESTAMP_FIELDS=timestamp
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

rkrevat
New Member
‎06-27-2017 04:28 PM

I put your suggested query into the search bar, and I receive, "No Results Found", even though I can see and edit the file using the Lookup Editor. When I created the lookup, I set the app to "Search and Reporting", but I still can't find it.
Per your request, here are the headers and first row:
alt text

Preview file
1 KB
0 Karma
Reply

niketn
Legend
‎06-27-2017 06:14 AM

If you are choosing to view the data just added by UI based file upload, splunk will run a search query against all indexed using index=_* OR index=*, however, you might not have access to search using the same. Please see if you can search the events by (default values)

index=main and sourcetype=csv

When you are uploading data through UI make a note of index and sourcetype you have selected in the Summary tab. For CSV sourcetype would be selected as csv by default and for Home app main index should be selected by default. Splunk UI gives you an option to save this as new sourcetype so that you can distinguish your data. For example save your CSV file as mydata_csv sourcetype.

Try uploading to different index and with a custom sourcetype and then see if you can search. Also in the preview tab, is the event timestamp being picked up correctly? If you have timestamp field in your CSV that you can modify then please use the same to change to more recent time, just to ensure that file keeps changing and also to reduce the timerange for searching your data recently added.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

rkrevat
New Member
‎06-27-2017 07:20 AM

Thank you for the suggestions, everyone. I tried uploading again, this time creating my own source type, checking to ensure that the timestamp is correct, and creating my own index, but I still get "no results found" when I search:
source="user-session.csv" host="Ronalds-iMac.local" index="history" sourcetype="csv1"

0 Karma
Reply

niketn
Legend
‎06-27-2017 02:30 PM

Check whether events are actually getting added to index=history or not.

| metadata type=sourcetypes index="history"

PS: Select All Time from Search Time Range Picker.
You can also check from Settings > Indexes

If you do not see any event for index="history" sourcetype="csv1", share the header row and at least one column of you CSV (mock/anonymize data where ever needed).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

cmerriman
Super Champion
‎06-27-2017 06:04 AM

have you tried to upload CSVs with this app? https://splunkbase.splunk.com/app/1724/
the only other suggestion I have is to check that the sourcetype and configurations are set up correctly.

0 Karma
Reply

kkrishnan_splun
Splunk Employee
Splunk Employee
‎06-27-2017 06:13 AM

The lookup editor app is for the purpose of editing the lookup files after the lookup tables and definitions have been set.
The Data Summary button lists the host, source and sourcetypes that it derives from Data Upload. If you could add your sourcetype="csv", source="yourFileName.csv" and index="yourIndexName" (if specified during the upload), splunk will list the events accordingly.

0 Karma
Reply

rkrevat
New Member
‎06-27-2017 03:23 PM

I can find my downloaded file in the File Editor, but when I go into the File Editor and click on "Open in Search" on the "Action" list, the search just says "No Results Found."

0 Karma
Reply

rkrevat
New Member
‎06-27-2017 03:14 PM

I have tried using the lookup error, but I still cannot find my "successfully uploaded" files.

0 Karma
Reply

rkrevat
New Member
‎06-27-2017 01:46 PM

Thank you for taking the time to address my issue. In following your suggestion, I did a search on the following:

sourcetype="csv", source="user-session.csv", index="main"

And it comes up with "No Results Found."

Yes, as I was downloading the file, I carefully noted the values for each of these fields. :))

0 Karma
Reply

cmerriman
Super Champion
‎06-27-2017 06:31 AM

the lookup editor has the capability of uploading csv files that will show up in your datasets. they may not have a sourcetype attributed to them, but you can still call them with inputlookup.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...