Splunk Search

Why am I getting no search results after uploading a CSV file in Splunk Web?

Path Finder

Hi,

I uploaded a .csv file through Splunk Web. The sourcetype is a csv, and it just went into the default index, but when I search for it, I can't find it anywhere.

I've tried sourcetype="csv" by itself and source="viatest2.csv(what I named the file), and a combination of the two.

No success.

any ideas?

0 Karma

Motivator

Are you monitoring csv file through input stanza? If yes, do add new line into your csv file and then see if it gets loaded into the Splunk. If this is the case, you may need to reindex the file by clearing fishbucket. To clear fishbucekt, you may refer https://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html

0 Karma

SplunkTrust
SplunkTrust

be aware that in source there are the double quotes and then, if you have a back slash, that there is a double back slash:
e.g.: source="c:\aaa\bbb\ccc.log"
Bye.
Giuseppe

0 Karma

Esteemed Legend

Try this and run for All Time:

index=* OR index=_* source="*viatest2.csv*"
0 Karma

Path Finder

no results still. I even tried doing index=* for All Time and didn't see my sourcetype or data anywhere in there. when I try to upload it again and save the sourcetype csv, i have insufficient permissions to change that, so I'm wondering if that could be the culprit somehow.

0 Karma

Esteemed Legend

Did you cut and paste my answer EXACTLY? The key is the asterisks ( '*' ) in the source field.

0 Karma

Path Finder

Yes i cut-pasted it, something went wrong with the upload I suppose.

0 Karma

Influencer

did you try changing the time frame you are looking for? Try selecting "All Time"

Your source should be the complete path including the file name and not just the file name.

0 Karma

Path Finder

It automatically filled a complete path source="viatest2.csv" host="splunk-search-head-dev-02" sourcetype="csv"
but that didn't return any results, even over all time.

0 Karma

Splunk Employee
Splunk Employee

Hi,

Are you sure the upload worked and you finished the process ?

Romain.

0 Karma

Path Finder

Is there a way to verify the upload worked?

0 Karma

Influencer

Try running the below search and see if the intended source comes up in the list

|metadata type=sources
0 Karma

Path Finder

My source isn't on that list, i also had to add index=* after it.

0 Karma

Influencer

Then probably the upload didn't complete

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!