Splunk Search

csv file in blob storage

Skins
Path Finder

I am ingesting from blob storage and have downloaded an example of the file and uploaded to a standalone box and created a new sourcetype and all working as expected.

using INDEXED_EXTRACTIONS = csv

moving to my tierd environment the blob storage is collected via app running on the HF - so i have added the new sourcetype defined there and also on the SH - nothing on the indexing tier.

however searching from the SH tier - the sourcetype is shown but the fields are not extracted.

what could i be missing ?

gratzi

Tags (1)
0 Karma

rajasekhar14
Path Finder

hi @Skins

did you resolve this issue?

0 Karma

p_gurav
Champion

Where you are putting INDEXED_EXTRACTIONS = csv this seeting?

0 Karma

alexstanley
New Member

where you able to resolve this issue @Skins ?

0 Karma

p_gurav
Champion

Can you give what setting you configured for sourcetype on HF and SH?

0 Karma

Skins
Path Finder

[mscs:storage:blob:csv]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = date
category = Structured
description = csv files from azure blob
disabled = false
pulldown_type = true

0 Karma

Skins
Path Finder

I tried again - and manually downloaded a csv file from blob storage using Azure blob explorer
If i manually add the file to the HF it is indexed using the sourcetype correctly and indexed fileds are shown and searchable from the SH (this is a HF > IDX > SH Scenario)

If i then enable the blob collection again using the mscs app - just get headers

date,level,applicationName,instanceId,eventTickCount,eventId,pid,tid,message,activityId
host =XXXX source =blah/2018/09/16/09/logname.csv sourcetype = mscs:storage:blob:csv

0 Karma

rfoucault
New Member

Hello,

I'm coming to you, I'm trying to implement a BLOB to a splunk like you. I have the same concern that you have found a solution to this problem?

Have a good day

0 Karma
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...