All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Where are the imported CSV located on linux?

mhammett01
New Member
‎11-13-2019 06:51 AM

Trying to have a CSV sent every evening probably use a schedule job to update. Using UF to monitor a folder doesnt seem to work, unless someone has been able to do that. Any assistance would be awesome. Cheers!

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-13-2019 08:29 AM

Hi @mhammett01,
It's not clear why you tagged "Lookup File Editor", the csv file to monitor is on a Universal Forwarder and must be indexed, is it correct?

let me understand:

  • you have a Universal Forwarder installed on a Linux Server,
  • on this server you have a csv to monitor,
  • you want to monitor this file that's updated every day.

I can imagine that your UF are sending logs to Splunk Server so there aren't connection problems, you can simply test this using this search on your Splunk Server (if you have a stand-alone server) or on a Search Head (if you have a Distributed search):

index=_internal host=my_host

If you have results, connection is ok, otherwise you have to test the connection.

So you have to create an Add-On that contains a file called inputs.conf.
Have you a Deployment Server?
So deploy the Add-on on the Universal Forwarder manually or using the Deployment Server.

Anyway, in inputs.conf file there's a dedicated stanza like this:

[monitor:///my_path/my_file.csv]
index=my_index
disabled=0
sourcetype=my_sourcetype

If the name contains the date (e.g. my_file_2019-11-12.csv) you can use: 

[monitor:///my_path/my_file*.csv]

In this way you have the input processor to take the file (remember that if you manually deploy the Add-On you have to restart Splunk on Universal Forwarder.

Put attention to the rights on the file: the user running splunkd process must be enabled to read the file.

Ciao.
Giuseppe

0 Karma
Reply

mhammett01
New Member
‎11-13-2019 06:54 AM

And.....nevermind......went to setting>lookup>Lookup table files

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...