Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Challenge with splunk forwarder and csv file

eholz1
Contributor
‎12-19-2023 11:37 AM

Hello,

I need some help. Icreate a csv file on remote server from a mysql quert.

I forward the csv file from the remote server to splunk.

I can read the data. The csv file is over written each day, it have have only 1 line of

data, or multiple lines of data - it is a list of device that have gon down. If no devices

are down, the the file only has the hearder, and data that says: :No Devices Down:" I  only want to see data from the file on the day the file is writtern. The challenge I have is to read only the data in the file for that day. The issue is that splunk indexes the data, so splunk retains the data over time, like I want only 1 day info from the file, but splunk has all the data indexed

How can I return only the data for the day, not for all data in splunk indes?

thanks,

EWHolz

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-20-2023 05:51 AM

There are two things you can do.

1) Change the retention period of the indexed data to one day.  If necessary, create a new index dedicated to the CSV data.

2) When searching the CSV data, fetch only the most recent day.

index=foo earliest=-24h
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-20-2023 05:51 AM

There are two things you can do.

1) Change the retention period of the indexed data to one day.  If necessary, create a new index dedicated to the CSV data.

2) When searching the CSV data, fetch only the most recent day.

index=foo earliest=-24h
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

eholz1
Contributor
‎12-20-2023 07:41 AM

Hello Members and richgallowy,

 

Thanks for the tip. It has been a while since I have needed to apply my

limited "Splunk" skills, I appreciate this suggestion, and will try it out;.

 

Regards,

EWHolz

Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...