Getting Data In

How should I format my CSV Excel chart in order for SPLUNK to be able to create a report?

vstrashko
New Member

How should I format my CSV Excel chart in order for SPLUNK to be able to create a report?

Tags (1)
0 Karma

vstrashko
New Member

How should my props.conf, inputs/outputs be configured if I am extracting from a csv excel file?

0 Karma

Richfez
SplunkTrust
SplunkTrust

The act of getting the data in correctly is a precursor to but otherwise unrelated to the act of creating the chart or graph.

For ingesting this data, the easiest method - especially if you are just starting out - is to save it as csv then use the Add Data wizard in Splunk to ingest it as a structured CSV file. It walks you through all the steps, lets you check that timestamps are working and many other miscellaneous things. If you save it with column headers, you can tell Splunk at that time about them so it'll recognize all the fields properly. I heartily recommend creating a new index to put this data in so that you can delete it if you need to reimport. If you have problems with this process, you would get the best assistance if you could describe the process you followed and what happened as a result as well as you can.

Once you have that, confirm the data looks reasonable when searching for it in Splunk. You should be able to search something like index=mynewindex and get a list of fields down the left, data on the right and a green timeline of the volume at any specific time. Anything wrong here was likely caused in the preceding step, so the same procedure for getting specific help should be followed.

After it's properly showing up in Splunk, the answer to your question on making a chart may be fairly obvious after clicking around a bit, or perhaps it won't. If it is not obvious, then paste in an example of your events and what you are trying to accomplish so that we have some context for your question and we can probably help you with that.

Richfez
SplunkTrust
SplunkTrust

To access the Add Data wizard you may need to be logged in as an administrator or at least a user with "input_file" rights (I believe).

There should be a big button on the landing page when you log in (unless it's been customized).

If there's no button when you first log in, then in the upper right under "Settings", in section "Data" look for "Data inputs" and click it. In the resulting page, find the section "Files & directories" and to its right click "Add new." Use the "Upload a file" or whatever that middle option is.

If that doesn't work it's probably that you aren't logged in as someone with the correct privileges.

0 Karma

Richfez
SplunkTrust
SplunkTrust

To answer the other part of your question, there are many ways to have an input configured and a lot of optional settings. I got a chance to run through the wizard and see what it minimally drops into place.

[monitor://C:\temp\test_csv.csv]
disabled = false
host = SomeHost
index = temp
sourcetype = csv

It appears to have automatically found the field names with that. Here's another possibility for configuring this.

0 Karma

piebob
Splunk Employee
Splunk Employee

i also recommend that you try out the tutorial first, to get a good overview of what Splunk can do:
http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchTutorial/WelcometotheSearchTutorial

richgalloway
SplunkTrust
SplunkTrust

Please tell us more about what you are trying to do. Do you want Splunk to import Excel data in CSV format? What kind of report do you want?

---
If this reply helps you, Karma would be appreciated.

vstrashko
New Member

I have imported excel data in csv format into SPLUNK. I am not sure if my props.config file is written correctly. I am trying to organize it into a horizontal bar chart where my x-axis is my CDC_VERSION and my y-axis I my SUM_VALUE. I'd like to filter by PRODUCT_ID.

0 Karma

somesoni2
Revered Legend

Just run a search in Smart/Verbose mode to see how your data looks like in Splunk and if all the required fields are extracted correctly. (each row of csv should be an event in Splunk and all headers from your csv should appear as fields in field sidebar on the left)

index=foo sourcetype=bar source=*YourCSVFileName.csv 

Once this is verified, you can write searches to produce the report you want.

0 Karma

vstrashko
New Member

My splunk does not have an add data wizard. I'm not sure why this is the case, but it is.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...