Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can't use inputcsv on a csv file just created with outputcsv - does inputcsv strictly handle embedded newlines?

jarrowwx
New Member
‎02-03-2015 02:20 PM

I have a long running query (7 minutes or so) that I want to speed up, because I am doing variations of it over and over again. So I broke out the part that was common to all of them, and wrote it to a csv file. Then I tried to use that file as the source, and I get nothing. Event count is 0.

If I had to venture a guess, I would suppose that it might have to do with newlines embedded in the _raw log entries. Can splunk properly parse a csv file if some of the strings in the file contain newlines?

If the answer is yes, then does anybody have any other ideas what might cause a file just written with outputcsv to not be readable as an input source using inputcsv?

Tags (3)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-04-2015 04:33 PM

Depending on what you're actually trying to do, take a look at |loadjob: http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/loadjob

0 Karma
Reply

thomrs
Communicator
‎02-03-2015 03:51 PM

I always use outputlookup for things like this. Lately I've move on to tscollect and tstats. I use the netapp an VMware app and these commands are used to speed up perf queries.

Not an answer to your problem, but another path to try if you need.

http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Tscollect

Reply

jarrowwx
New Member
‎02-04-2015 10:30 AM

Unfortunately, I need more than time series data, I need the subset of records that I am searching over. The point is to do less work overall, skipping the processing of 2 million records that are established as irrelevant to my query.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...