Dashboards & Visualizations

Using data from a csv file in a dashboard

absreim
Explorer

Hi,

I'm trying to test out a dashboard that I am developing by using sample data that is stored in a CSV. I am able to use the inputlookup in the Search application to import and see the data.

However, I am completely unable get a dashboard to recognize the data when I place the inputlookup command inside the search param in a HiddenSearch module. I have tried placing the inputlookup command inside a subsearch passed to the appendpipe and append commands as well as using the append=t option of the inputlookup command. None of these attempts have worked. No error occurs when I any of this syntax, but the data in the CSV is simply not included the results of the charts and tables in the dashboard.

Has anyone actually been able to get the data inside a CSV work with a dashboard in Splunk 4.3.4? If so, is there anything special that needs to be done to get dashboards to recognize the data?

Tags (2)

absreim
Explorer

I finally figured out how to get it to work. It is necessary to use two eval functions to convert the datetime values in the CSV to the epoch form. For some reason for events from the CSV I first had to use eval to assign _time to another variable (I used "Time") for the text format to appear. I then used another eval and the strptime function on the Time variable to convert it to epoch time.

So my subsearch ended up this way:

append [|inputlookup bsod_samples.csv | eval Time=_time | eval _time=strptime(Time,"%Y-%m-%dT%T.%Q%:z")]

Date format in CSV: 02/06/2014 13:46:31 -0500

0 Karma

absreim
Explorer

I think I figured out why this is happening. The format for _time in the CSV is not the same as that of the time of results taken directly from an index. Both strftime and strptime are unable to process the time format in the CSV properly. Not sure how to get the time formats to line up to do a sort over all of the results, but at least we now know why the results are not appearing.

0 Karma

absreim
Explorer

index=summary_winevents source="Summary - Hourly Bugchecks" ExpandCsv(orig_host,"$groupname$") ExpandCsv(orig_host,"$computername$") | appendpipe [inputlookup bsod_samples.csv] | rename orig_host as host | stats list(StopCode) AS StopCode, list(P1) AS P1, list(P2) AS P2, list(P3) AS P3, list(P4) AS P4 by _time, host | bucket _time span=7d | sort - _time | eval Time = strftime(_time,"%m/%d/%Y") | stats count as Occurrences by Time, StopCode, host | eval StopCode=substr(StopCode, 9) | stats count as Occurrences by Time, StopCode | chart sum(Occurrences) limit=35 over Time by StopCode

0 Karma

somesoni2
Revered Legend

Could you please provide the search that you are using?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...