Why splunk can directly read and parse the csv fil...

chendw98 · ‎07-18-2019

Why splunk can directly read and parse the csv file uploaded? Is it possible for me to see the config file doing this? I'm using the cloud trial so I cannot find my config file locally.

woodcock · ‎07-19-2019

How did you upload it? If you did it as Add New Lookup File, you just need to be inside that app's context and do this:

| inputlookup YourFilenameHere.csv

If you used the Add Data Wizard then you gave it a sourcetype and an index so just do this:

index=<The value you used> AND sourcetype=<The value you used>

skalliger · ‎07-19-2019

Hey there.

Splunk has so-called pretrained source types. When not specifically set, Splunk tries to recognise the source type. Next to csv, there are some formats being recognised pretty good as well. I mean, CSV just means "segment data by commas".

See the docs for further examples: https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Listofpretrainedsourcetypes

Skalli

chendw98 · ‎07-19-2019

Hi there,

But why if I upload the csv through the forwarder, it appears to be something like "mscs:storage:blob"? Is it possible to specify the type to be csv in input.conf?

Thanks!
Justin

Why splunk can directly read and parse the csv file uploaded?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation