Why splunk can directly read and parse the csv file uploaded? Is it possible for me to see the config file doing this? I'm using the cloud trial so I cannot find my config file locally.
Splunk has so-called pretrained source types. When not specifically set, Splunk tries to recognise the source type. Next to csv, there are some formats being recognised pretty good as well. I mean, CSV just means "segment data by commas".
See the docs for further examples: https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Listofpretrainedsourcetypes
But why if I upload the csv through the forwarder, it appears to be something like "mscs:storage:blob"? Is it possible to specify the type to be csv in input.conf?
How did you
upload it? If you did it as
Add New Lookup File, you just need to be inside that app's context and do this:
| inputlookup YourFilenameHere.csv
If you used the
Add Data Wizard then you gave it a sourcetype and an index so just do this:
index=<The value you used> AND sourcetype=<The value you used>