I decided to convert them to CSV to make it a bit easier. I followed the video you linked, but now I'm getting no results returned via search.

Here's my search string:

source="filename.csv" sourcetype="csv" | search EventCode=4624 | table _time, Account_Name, Message

Hi @BabySplunk,

at first use always the index value in searches because you index could not be in the default path and probably this is your issue.

then check the EventCode field: field names in Splunk are Case sensitive.

Then you don't need to use the search command, put the search conditons as left as possible:

index=your_index source="filename.csv" sourcetype="csv" EventCode=4624 
| table _time Account_Name Message

Ciao.

Giuseppe

Thanks for your help, but I'm still returning no results.

Hi @BabySplunk,

how do you indexed these csv files?

in which index did you stored them?

Ciao.

Giuseppe

The index is titled "main"

Hi @BabySplunk,

it isn't a best prectice to use the default index "main"!

Anyway, how did you ingested these files?

Ciao.

Giuseppe

I did a one-time upload via the SplunkEnterprise webpage and followed the wizard.

Hi @BabySplunk,

at the end of the guided procedure, you can search Data, have you results?

ciao.

Giuseppe

No results.

Hi @BabySplunk,

this means that the ingestion procedure failed and you didn't uploaded your data.

During the guided procedure, you can check the timestamp recognition and the fields recognition, do you correctly see them?

Ciao.

Giuseppe.

Yes, I see them and my data is now populating but when I complete the upload and attempt a search, I'm still getting "no results found".

Hi @BabySplunk,

using the guided procedure, check if the timestamp is correctly read because if you're using a date in european format (dd/mm/yyy), until the 11th of the month, Splunk read it in american format (mm/dd/yyy) and maybe your data were ingested but with the wrong timestamp.

You can check this searching your data with timestamp 01/12/2022 at the 12th of January 2022.

If this is the issue, you have to force the correct TIME_FORMAT in sourcetype.

Ciao.

Giuseppe

I have it showing results now, but the table header tags that I typically use with my forwarded data is not matching up in the CSV import. For instance, I normally use "| table _time,Account_Name,Message,EventCode" but nothing matches from the CSV import. It reads as "Event ID" instead of EventCode and "EXTRA_FIELD_" instead of Message and "Account_Name" returns no results.

Check the time range of your search. If you import data from the past you might be simply searching over wrong time range which by default is some time "backwards" from now (like last 24h).