I have created an index to store my data on Splunk.
The data contains 5 csv files uploaded one by one in the index.
Now, if I try to show the data inside the index, it shows the latest data (the csv file that was uploaded at the end )
We can show the data of other files by querying, including specific source names, but by default, we can not see the whole data; we can only see the data of the last table.
To overcome this challenge we have used joins to join all the tables and show them through the query in one report.
I wanted to find out if there is a better way to do this. I have to show this data in Power BI, and for that, I should have a complete report of the data.
We have no idea what data you uploaded and how. I assume you used the webui and went through the "add data" dialog but we have no idea what sourcetype(s) you used, whether you had proper timestamp recognition and so on.
We have also no knowledge about how you are searching for that data.
So the only answer we can give you is "search for your data properly".
But seriously - you're giving us the equivalent of "I bought a computer, I did something with it and now it doesn't do what I want".
The data I have uploaded contains 5 CSV files (mentioned) Apartments.csv, Buildings.csv, Maintenance.csv, Energy Consumption.csv, and Security Events.csv.
I used the Splunk web interface and the Add Data feature to upload data. The search query used to search data within the index is index="SC_POC1"
If I search for data in the index, then it shows data from the last uploaded table by default. As in the screenshot attached, the search query shows only data on Energy Consumption, however index "SC_POC1" contains data of all the 5 csvs. I can search for the other data like Apartments, Buildings by specifying in the query like
index="SC_POC1" source="Apartments.csv", but then it will show only Apartments data.
I want to show all the data (events) in the index. For this, I used joins on the tables so that I could search for the entire data of the index. but it also did not work.
I want to know if there is a better way to do this.
(I am using Splunk Enterprise)
What do you get if you do this?
index="SC_POC1"
| stats count by sourcetype source
I get all the sources list and total events within each source
So all the data is there - what made you think you could not see it?
Actually i have to connect Splunk with power bi. And I have to save the result of search query as a report so I can connect my report with power bi..
the report is created only for the data that is displayed from search query. if the search query do not display data for other table, it is not contained in the report and hence in the power bi.
OK. Let's back up a little. You have static csv files which you uploaded to Splunk. Now you're trying to get them from Splunk with PowerBI. Why the extra step? As far as I remember you can just set up an ODBC connection to a CSV file (in case PowerBI can't handle a raw file on its own).
What's the point of dropping in Splunk as the middle man?
OK so your search for your report is discounting the data from the other sources (for some reason). What is this search? What is it doing to discount the other sources?