Splunk Enterprise

How to show entire data of the index?

Sabahat
Loves-to-Learn Lots

I have created an index to store my data on Splunk. 
The data contains 5 csv files uploaded one by one in the index.
Now, if I try to show the data inside  the index, it shows the latest data (the csv file that was uploaded at the end )

We can show the data of other files by querying, including specific source names, but by default, we can not see the whole data; we can only see the data of the last table.
To overcome this challenge we have used joins to join all the tables and show them through the query in one report.
I wanted to find out if there is a better way to do this. I have to show this data in Power BI, and for that, I should have a complete report of the data.

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

We have no idea what data you uploaded and how. I assume you used the webui and went through the "add data" dialog but we have no idea what sourcetype(s) you used, whether you had proper timestamp recognition and so on.

We have also no knowledge about how you are searching for that data.

So the only answer we can give you is "search for your data properly".

But seriously - you're giving us the equivalent of "I bought a computer, I did something with it and now it doesn't do what I want".

0 Karma

Sabahat
Loves-to-Learn Lots

The data I have uploaded contains 5 CSV files (mentioned) Apartments.csv, Buildings.csv, Maintenance.csv, Energy Consumption.csv, and Security Events.csv.
 I used the Splunk web interface and the Add Data feature to upload data. The search query used to search data within the index is index="SC_POC1"

Sabahat_0-1728985255007.png

If I search for data in the index, then it shows data from the last uploaded table by default. As in the screenshot attached, the search query shows only data on Energy Consumption, however index "SC_POC1" contains data of all the 5 csvs. I can search for the other data like Apartments, Buildings by specifying in the query like 
index="SC_POC1" source="Apartments.csv", but then it will show only Apartments data.
I want to show all the data (events) in the index. For this, I used joins on the tables so that I could search for the entire data of the index. but it also did not work.
I want to know if there is a better way to do this.
(I am using Splunk Enterprise)

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What do you get if you do this?

index="SC_POC1"
| stats count by sourcetype source
0 Karma

Sabahat
Loves-to-Learn Lots

I get all the sources list and total events within each source

Sabahat_0-1729074927399.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So all the data is there - what made you think you could not see it?

0 Karma

Sabahat
Loves-to-Learn Lots

Actually i have to connect Splunk with power bi. And I have to save the result of search query as a report so I can connect my report with power bi..
the report is created only for the data that is displayed from search query. if the search query do not display data for other table, it is not contained in the report and hence in the power bi.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. Let's back up a little. You have static csv files which you uploaded to Splunk. Now you're trying to get them from Splunk with PowerBI. Why the extra step? As far as I remember you can just set up an ODBC connection to a CSV file (in case PowerBI can't handle a raw file on its own).

What's the point of dropping in Splunk as the middle man?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK so your search for your report is discounting the data from the other sources (for some reason). What is this search? What is it doing to discount the other sources?

0 Karma
Get Updates on the Splunk Community!

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...