Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to index multiple CSV file from a local machine?

ibmrakesh
Explorer
‎02-08-2017 09:03 AM

Hi All,

I have multiple CSV files which are on the local machine under the same directory. I would like to add these files and index them.
I have multiple CSV files with fields let's say.

  1. table_1.csv with fields 'Bus No', 'Booking ID', 'start Time', 'End Time', 'Source', 'Destination'
  2. table_2.csv with fields 'Bus No', 'Booking ID', 'Via','Halting Timings','Passenger counts', 'Failures', etcs.
  3. table_3.csv with fields ....

Can someone guide me the best way to do it?

Thanks In Adv.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

felipesewaybric
Contributor
‎02-08-2017 09:40 AM

Maybe monitoring the folder? Are the files dynamic or static?

View solution in original post

Reply
Solved! Jump to solution

dbcase
Motivator
‎02-10-2017 11:57 AM

Create the index ahead of time (settings->index->new)

Then in your inputs.conf file on the universal forwarder put in something like this

[batch:///var/nfs/SAT_SplunkLogs/ts/beta/*.csv]
move_policy = sinkhole
host_segment=5
sourcetype=csv
index=betats

then restart splunk on the universal forwarder

FYI . you can substitute monitor for batch, the move_policy = sinkhole will delete the CSV file after it is indexed

0 Karma
Reply
Solved! Jump to solution

ibmrakesh
Explorer
‎02-17-2017 09:17 AM

@dbcase: Is this for dynamic CSV file?

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎02-17-2017 09:18 AM

for dynamic (meaning the file gets added to) I'd use something like this

[monitor:///var/nfs/SAT_SplunkLogs/version/*.csv]
crcSalt = defprof
sourcetype=csv
index=allmsos
0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎02-17-2017 09:23 AM

If the csv file gets created, then indexed then a new file gets created I'd use the batch method.

The batch method with the move_policy sinkhole parameter will index the csv file, then delete it so a new csv file can be written.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-09-2017 09:10 AM

If an answer to your question has solved your issue, please accept the answer.

0 Karma
Reply
Solved! Jump to solution
Solution

felipesewaybric
Contributor
‎02-08-2017 09:40 AM

Maybe monitoring the folder? Are the files dynamic or static?

Reply
Solved! Jump to solution

ibmrakesh
Explorer
‎02-09-2017 05:16 AM

@felipesewaybricker: Thanks for responding my query! In both the cases i.e if CSV files are 1. static and 2. dynamic.

0 Karma
Reply
Solved! Jump to solution

felipesewaybric
Contributor
‎02-09-2017 06:15 AM

Nice, you can monitor the folder, send to the same index and perform the searches as follows: index = nnn source = file.csv

0 Karma
Reply
Solved! Jump to solution

ibmrakesh
Explorer
‎02-10-2017 11:46 AM

@felipesewaybricker: This is just for clarification, Are you saying we need to use "Monitoring" option instead of "Upload" option while uploading files. If this is Yes then how will i be creating Index for that ?

  1. what about if csv files are dynamic ?
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...