Why splunk can directly read and parse the csv fil...

chendw98 · ‎07-18-2019

Why splunk can directly read and parse the csv file uploaded? Is it possible for me to see the config file doing this? I'm using the cloud trial so I cannot find my config file locally.

woodcock · ‎07-19-2019

How did you upload it? If you did it as Add New Lookup File, you just need to be inside that app's context and do this:

| inputlookup YourFilenameHere.csv

If you used the Add Data Wizard then you gave it a sourcetype and an index so just do this:

index=<The value you used> AND sourcetype=<The value you used>

skalliger · ‎07-19-2019

Hey there.

Splunk has so-called pretrained source types. When not specifically set, Splunk tries to recognise the source type. Next to csv, there are some formats being recognised pretty good as well. I mean, CSV just means "segment data by commas".

See the docs for further examples: https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Listofpretrainedsourcetypes

Skalli

chendw98 · ‎07-19-2019

Hi there,

But why if I upload the csv through the forwarder, it appears to be something like "mscs:storage:blob"? Is it possible to specify the type to be csv in input.conf?

Thanks!
Justin

Why splunk can directly read and parse the csv file uploaded?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes