Splunk Dev

Where the uploaded CSV files are saved in splunk i.e. in which index by default? And in which conf. file the changes due to a uploaded .csv takes place?

arpit_1210
Explorer

When we upload a csv file in splunk, which all conf files are modified in background and what all changes are made in them ?

And, by default these csv files reside in which index?

Tags (1)
0 Karma

lukejadamec
Super Champion

If you are using the Splunk UI to configure your inputs, then the location of the config files is based on the setting you select while creating the input. In particular, the setting for App tells Splunk which App to use when storing configs. The Apps are located in Splunk_Home\etc\apps. In the App that was selected when creating the input you will see a "local" folder which will contain the config files.

If you are using apps downloaded from Splunk, then the data used those Apps are typically configured inside that App, which can be found typically by name in Splunk_Home\etc\apps.

If you don't remember which App was selected when the input was created than you can use the Splunk UI to find it. Go to Settings, Data Inputs, Files and Directories for a list of file inputs. This list will also tell you which index is used for that input. It is possible that you are using inputs other than "File and Directories", so review the list of possible local inputs. There is a column for the number of inputs to give you a clue as to what type of inputs you have for those input types.

If you have custom field extractions or other UI generated transforms, then you may file those settings in the user context in Splunk_Home\etc\users under the user that created them.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...