Splunk Search

Why am I getting no search results after uploading a CSV file in Splunk Web?

zsizemore
Path Finder

Hi,

I uploaded a .csv file through Splunk Web. The sourcetype is a csv, and it just went into the default index, but when I search for it, I can't find it anywhere.

I've tried sourcetype="csv" by itself and source="viatest2.csv(what I named the file), and a combination of the two.

No success.

any ideas?

0 Karma

hardikJsheth
Motivator

Are you monitoring csv file through input stanza? If yes, do add new line into your csv file and then see if it gets loaded into the Splunk. If this is the case, you may need to reindex the file by clearing fishbucket. To clear fishbucekt, you may refer https://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html

0 Karma

gcusello
SplunkTrust
SplunkTrust

be aware that in source there are the double quotes and then, if you have a back slash, that there is a double back slash:
e.g.: source="c:\aaa\bbb\ccc.log"
Bye.
Giuseppe

0 Karma

woodcock
Esteemed Legend

Try this and run for All Time:

index=* OR index=_* source="*viatest2.csv*"
0 Karma

zsizemore
Path Finder

no results still. I even tried doing index=* for All Time and didn't see my sourcetype or data anywhere in there. when I try to upload it again and save the sourcetype csv, i have insufficient permissions to change that, so I'm wondering if that could be the culprit somehow.

0 Karma

woodcock
Esteemed Legend

Did you cut and paste my answer EXACTLY? The key is the asterisks ( '*' ) in the source field.

0 Karma

zsizemore
Path Finder

Yes i cut-pasted it, something went wrong with the upload I suppose.

0 Karma

pradeepkumarg
Influencer

did you try changing the time frame you are looking for? Try selecting "All Time"

Your source should be the complete path including the file name and not just the file name.

0 Karma

zsizemore
Path Finder

It automatically filled a complete path source="viatest2.csv" host="splunk-search-head-dev-02" sourcetype="csv"
but that didn't return any results, even over all time.

0 Karma

rtestu_splunk
Splunk Employee
Splunk Employee

Hi,

Are you sure the upload worked and you finished the process ?

Romain.

0 Karma

zsizemore
Path Finder

Is there a way to verify the upload worked?

0 Karma

pradeepkumarg
Influencer

Try running the below search and see if the intended source comes up in the list

|metadata type=sources
0 Karma

zsizemore
Path Finder

My source isn't on that list, i also had to add index=* after it.

0 Karma

pradeepkumarg
Influencer

Then probably the upload didn't complete

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...