Solved: Re: How to load a CSV file into Splunk & Change th...

alenseb · ‎09-11-2012

Hi All,

I am trying to load a .csv file into splunk, using sourcetype(csv). Upload of data is working fine but the only issue if i change the data in this .csv file, new data get appended to the old data. what i need is to replace the old with new.
Example: if i have 4 lines in the csv initially & if i delete one of its line and add 2 new lines.
My new csv data should contain only 4 lines.
Right now when i am doing this, i am getting 9 lines(4-Old & 5-New) of data.

Please help me with the configurations.

Paolo_Prigione · ‎09-11-2012

CSVs the way you mean them are treated in a different way than regular log files.
There are 2 basic kinds:

"just CSVs", which are only accessed via "| inputcsv" and "| outputcsv"
lookup CSVs, which are accessed with commands "| lookup", "| inputlookup" and "| outputlookup"

In the former case you can:

load your CSV in $SPLUNK_HOME/var/run/splunk/filename.csv
execute the search:

| inputcsv filename.csv

In the latter you can:

configure it from the Manager and upload the csv file
you will be able to replace the file under this directory $SPLUNK_HOME/etc/apps/APPNAME/lookups/filename.csv.
execute searches like:

.... | lookup configname inputfield OUTPUT outputfield

View solution in original post

Paolo_Prigione · ‎09-11-2012

CSVs the way you mean them are treated in a different way than regular log files.
There are 2 basic kinds:

"just CSVs", which are only accessed via "| inputcsv" and "| outputcsv"
lookup CSVs, which are accessed with commands "| lookup", "| inputlookup" and "| outputlookup"

In the former case you can:

load your CSV in $SPLUNK_HOME/var/run/splunk/filename.csv
execute the search:

| inputcsv filename.csv

In the latter you can:

configure it from the Manager and upload the csv file
you will be able to replace the file under this directory $SPLUNK_HOME/etc/apps/APPNAME/lookups/filename.csv.
execute searches like:

.... | lookup configname inputfield OUTPUT outputfield

Paolo_Prigione · ‎09-11-2012

It will probably will be slower than with the "| lookup" command and limited to some 50k results, but | join joinfield [|inputcsv ... | fields + joinfield otherfield] might do

alenseb · ‎09-11-2012

Thanks!! Appending worked Just fine!

Can i use this "| inputcsv" command to Join with another log file?

MHibbin · ‎09-11-2012

Do you not want to do this as a lookup?... http://docs.splunk.com/Documentation/Splunk/latest/User/CreateAndConfigureFieldLookups

If not you should be able to use the dedup command to show the latest event (i.e. the latest csv) depending on how you are indexing it.

MHIbbin

alenseb · ‎09-11-2012

Thanks in advance!!

alenseb · ‎09-11-2012

I tried the lookup but it didn't serve my purpose since the replacement of data wasn't happening.
Also i need to join this .csv file with another log file.
Therefore wen the data in csv file change, the result of the Join Query also should change.
Any Configuration files i need to look into. I am basically trying to automate it.

jpmackl · ‎11-19-2015

Any luck completing this effort? I'm trying to do the same thing. I have tool the produces a CSV report every hour, I would like to pull the data into Splunk in an automated fashion and then build real time dashboards from the data. Thank you for any help!

colinmchugo · ‎09-02-2016

Any luck with this jpmackl ? I want to do something similar

How to load a CSV file into Splunk & Change the csv file dynamically, so that data is refreshed.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation