What would you say is the recommended method for h...

aquinol · ‎10-17-2022

Hi All-

What would you say is the recommended method for handling CSV files?

Ingesting it into an index or using it as a lookup table?

TLDR - Server team keeps server master list as CSV. Want to bring it into Splunk as the reference (baseline) which all other tools report against (AD, CS, R7 etc). Should I ingest that CSV into an index or keep it a csv and use it as a lookup table?

Thanks in Advance!

isoutamo · ‎10-17-2022

Hi

If it changed regularly then the better way could be ingest it, even it use your license. And especially if you have several SHs when you want to use it (without SHC). If it's quite statics and you have only some or even one SH and you are using suitable automatic, then probably the easiest way is use csv files.

Anyhow you probably should add scheduled searches to export that list to csv or kvstore to use it easier on splunk side.

r. Ismo

aquinol · ‎10-17-2022

Thanks for the feedback! The server guys change it semi regularly (whenever they add/remove/change a server). So I think you're right about ingesting it, then having it in the KV store would probably be the best method. On that same vein.... The actual Server DB is an Access DB, they currently export it to CSV as i haven't figured out a better method to ingest it into Splunk. DB connect isn't an option for us. You wouldn't happen to have a better method other than CSV and ingest would you?

isoutamo · ‎10-17-2022

With access FSB is definetelly better than try to get DB Connect to work with it.

What would you say is the recommended method for handling CSV files?

CSV

index

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!