Dashboards & Visualizations

Where to find the CSV file source?

Keerthi
Path Finder

source="Application_Vulnerabilities_*.csv" index="vuln_mgmt" sourcetype="csv"


one of the dashboard has above query . where to fetch the source file mentioned in splunk.

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Keerthi,

I mean tha tthe  file wasn't read by a forwarder but was uploaded using the [Settings > Add file] feature.

Anyway, after you indexed a file, you cannot modify it.

You have two ways to modify a csv file:

  • before indexing, using props.conf, e.g. for masking sensitive data,
  • the indexed sources cannot be modified, but if you load these csv files in a lookup, you can modify the lookup (not the indexed data) using the Lookup Editor App.

The search you shared is to retrieve the contents of that file and display them.

Obviously you can elaborate the results in search, but not the indexed data.

In other words, you can modify all the thing before indexing and in displaying but not on indexed data.

Ciao.

Giuseppe

View solution in original post

Keerthi
Path Finder

thanks for the detail explanation. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Keerthi,

if you have as source only the file name, this means that this file was manually updated and not read in file system.

In other words, this file isn't present as file in Splunk, but the content was acquired and indexed and you can see these contents.

Ciao.

Giuseppe

Keerthi
Path Finder

understood sir. but manually updated meaning? can you please elaborate how we manually update ? or by keeping the file in the server and calling the file name in the query(source=XYZ.csv then it will work?

if i want to replace the existing file what should i do?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Keerthi,

I mean tha tthe  file wasn't read by a forwarder but was uploaded using the [Settings > Add file] feature.

Anyway, after you indexed a file, you cannot modify it.

You have two ways to modify a csv file:

  • before indexing, using props.conf, e.g. for masking sensitive data,
  • the indexed sources cannot be modified, but if you load these csv files in a lookup, you can modify the lookup (not the indexed data) using the Lookup Editor App.

The search you shared is to retrieve the contents of that file and display them.

Obviously you can elaborate the results in search, but not the indexed data.

In other words, you can modify all the thing before indexing and in displaying but not on indexed data.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...