Re: Why splunk can directly read and parse the csv...

chendw98 · ‎07-18-2019

Why splunk can directly read and parse the csv file uploaded? Is it possible for me to see the config file doing this? I'm using the cloud trial so I cannot find my config file locally.

woodcock · ‎07-19-2019

How did you upload it? If you did it as Add New Lookup File, you just need to be inside that app's context and do this:

| inputlookup YourFilenameHere.csv

If you used the Add Data Wizard then you gave it a sourcetype and an index so just do this:

index=<The value you used> AND sourcetype=<The value you used>

skalliger · ‎07-19-2019

Hey there.

Splunk has so-called pretrained source types. When not specifically set, Splunk tries to recognise the source type. Next to csv, there are some formats being recognised pretty good as well. I mean, CSV just means "segment data by commas".

See the docs for further examples: https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Listofpretrainedsourcetypes

Skalli

chendw98 · ‎07-19-2019

Hi there,

But why if I upload the csv through the forwarder, it appears to be something like "mscs:storage:blob"? Is it possible to specify the type to be csv in input.conf?

Thanks!
Justin

Why splunk can directly read and parse the csv file uploaded?

See Splunk Platform & Observability Innovations at Cisco Live EMEA

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live

Join the Conversation

Why splunk can directly read and parse the csv file uploaded?

See Splunk Platform & Observability Innovations at Cisco Live EMEA

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live