source="Application_Vulnerabilities_*.csv" index="vuln_mgmt" sourcetype="csv"
one of the dashboard has above query . where to fetch the source file mentioned in splunk.
Hi @Keerthi,
I mean tha tthe file wasn't read by a forwarder but was uploaded using the [Settings > Add file] feature.
Anyway, after you indexed a file, you cannot modify it.
You have two ways to modify a csv file:
The search you shared is to retrieve the contents of that file and display them.
Obviously you can elaborate the results in search, but not the indexed data.
In other words, you can modify all the thing before indexing and in displaying but not on indexed data.
Ciao.
Giuseppe
thanks for the detail explanation.
Hi @Keerthi,
if you have as source only the file name, this means that this file was manually updated and not read in file system.
In other words, this file isn't present as file in Splunk, but the content was acquired and indexed and you can see these contents.
Ciao.
Giuseppe
understood sir. but manually updated meaning? can you please elaborate how we manually update ? or by keeping the file in the server and calling the file name in the query(source=XYZ.csv then it will work?
if i want to replace the existing file what should i do?
Hi @Keerthi,
I mean tha tthe file wasn't read by a forwarder but was uploaded using the [Settings > Add file] feature.
Anyway, after you indexed a file, you cannot modify it.
You have two ways to modify a csv file:
The search you shared is to retrieve the contents of that file and display them.
Obviously you can elaborate the results in search, but not the indexed data.
In other words, you can modify all the thing before indexing and in displaying but not on indexed data.
Ciao.
Giuseppe