Archive
Highlighted

Why splunk can directly read and parse the csv file uploaded?

New Member

Why splunk can directly read and parse the csv file uploaded? Is it possible for me to see the config file doing this? I'm using the cloud trial so I cannot find my config file locally.

Tags (1)
0 Karma
Highlighted

Re: Why splunk can directly read and parse the csv file uploaded?

SplunkTrust
SplunkTrust

Hey there.

Splunk has so-called pretrained source types. When not specifically set, Splunk tries to recognise the source type. Next to csv, there are some formats being recognised pretty good as well. I mean, CSV just means "segment data by commas".

See the docs for further examples: https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Listofpretrainedsourcetypes

Skalli

0 Karma
Highlighted

Re: Why splunk can directly read and parse the csv file uploaded?

New Member

Hi there,

But why if I upload the csv through the forwarder, it appears to be something like "mscs:storage:blob"? Is it possible to specify the type to be csv in input.conf?

Thanks!
Justin

0 Karma
Highlighted

Re: Why splunk can directly read and parse the csv file uploaded?

Esteemed Legend

How did you upload it? If you did it as Add New Lookup File, you just need to be inside that app's context and do this:

| inputlookup YourFilenameHere.csv

If you used the Add Data Wizard then you gave it a sourcetype and an index so just do this:

index=<The value you used> AND sourcetype=<The value you used>
0 Karma