hello team,
I have data from CSV files coming into my Splunk instance, I can search and find that data.
However, they come together in the "Event" field, and I would like to separate them based on a comma to create dashboards for servers that haven't been patched in over 30 days and haven't been restarted in over 30 days.
So I use the following search:
index="index_name" host=hostname source="path_to_file/file.csv" sourcetype="my_source"
And I get the results as follows:
I'm new to using the tool so I'm a bit overwhelmed by the amount of information, so I'm not sure which way to go.
Is it possible to do this just using Splunk Commands?
Note: As you can see I have hidden the real information about the servers, IPs and other names for compliance purposes.
HI @tarcio_nieri,
have you all fields correctly extracted or not?
if yes, you have only to use them, if not you have to add to your props.conf (in the server where you configured input) INDEXED_EXTRACTIONS=csv.
In this way, you automatically extract the fields.
If you didn't use this approach, you could make a copy of your csv file and manually ingest using the Add-Data Feature of the Settings manu.
In this way you'll be guided in the props.conf building.
In addition, you could search some document or video on internet, like the following:
https://hurricanelabs.com/splunk-tutorials/ingesting-a-csv-file-into-splunk/
https://www.youtube.com/watch?v=3kx0OGKy_XU
etc...
Ciao.
Giuseppe
Thanks for the suggestions guys, I will test and mark the one that helps me.
Hi @tarcio_nieri,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
HI @tarcio_nieri,
have you all fields correctly extracted or not?
if yes, you have only to use them, if not you have to add to your props.conf (in the server where you configured input) INDEXED_EXTRACTIONS=csv.
In this way, you automatically extract the fields.
If you didn't use this approach, you could make a copy of your csv file and manually ingest using the Add-Data Feature of the Settings manu.
In this way you'll be guided in the props.conf building.
In addition, you could search some document or video on internet, like the following:
https://hurricanelabs.com/splunk-tutorials/ingesting-a-csv-file-into-splunk/
https://www.youtube.com/watch?v=3kx0OGKy_XU
etc...
Ciao.
Giuseppe
Thanks man!
Now I will do some research on how to count the amount of days from a given date.
For example, I have a PATCH_DATE, that returns a date in the format 2023-07-12 (Y-M-D). If it is > than 30 the event should show up in the search... I have one event for each server...
Hi @tarcio_nieri,
this is another question on a different topic.
In this case, please open a new question, in this way you'll surely have a bettere and faster solution.
Anyway, to compare dates, you have to convert them in epochtime using the eval command with the strptime function, something like this:
<your_search>
| eval PATCH_DATE_epoch=strptime(PATCH_DATE,"%Y-%m-%d")
| where PATCH_DATE_epoch>86400*30
Ciao.
Giuseppe
If you are ingesting CSV fields with a header, then Splunk will normally auto extract those field names as the CSV fields.
On the left hand side of that event image do you have a list of the field names? If you search in verbose mode, Splunk will show you all the fields that it has extracted during the search.