Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- csv file in blob storage
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
csv file in blob storage
Skins
Path Finder
12-19-2018
10:10 PM
I am ingesting from blob storage and have downloaded an example of the file and uploaded to a standalone box and created a new sourcetype and all working as expected.
using INDEXED_EXTRACTIONS = csv
moving to my tierd environment the blob storage is collected via app running on the HF - so i have added the new sourcetype defined there and also on the SH - nothing on the indexing tier.
however searching from the SH tier - the sourcetype is shown but the fields are not extracted.
what could i be missing ?
gratzi
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rajasekhar14
Path Finder
11-14-2019
08:06 AM
hi @Skins
did you resolve this issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p_gurav
Champion
12-27-2018
12:19 AM
Where you are putting INDEXED_EXTRACTIONS = csv this seeting?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alexstanley
New Member
08-27-2019
09:15 PM
where you able to resolve this issue @Skins ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p_gurav
Champion
12-27-2018
01:52 AM
Can you give what setting you configured for sourcetype on HF and SH?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Skins
Path Finder
01-02-2019
07:26 PM
[mscs:storage:blob:csv]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = date
category = Structured
description = csv files from azure blob
disabled = false
pulldown_type = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Skins
Path Finder
01-02-2019
09:43 PM
I tried again - and manually downloaded a csv file from blob storage using Azure blob explorer
If i manually add the file to the HF it is indexed using the sourcetype correctly and indexed fileds are shown and searchable from the SH (this is a HF > IDX > SH Scenario)
If i then enable the blob collection again using the mscs app - just get headers
date,level,applicationName,instanceId,eventTickCount,eventId,pid,tid,message,activityId
host =XXXX source =blah/2018/09/16/09/logname.csv sourcetype = mscs:storage:blob:csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rfoucault
New Member
03-17-2021
01:35 AM
Hello,
I'm coming to you, I'm trying to implement a BLOB to a splunk like you. I have the same concern that you have found a solution to this problem?
Have a good day
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
