Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

csv file in blob storage

Skins
Path Finder
‎12-19-2018 10:10 PM

I am ingesting from blob storage and have downloaded an example of the file and uploaded to a standalone box and created a new sourcetype and all working as expected.

using INDEXED_EXTRACTIONS = csv

moving to my tierd environment the blob storage is collected via app running on the HF - so i have added the new sourcetype defined there and also on the SH - nothing on the indexing tier.

however searching from the SH tier - the sourcetype is shown but the fields are not extracted.

what could i be missing ?

gratzi

Tags (1)
0 Karma
Reply

rajasekhar14
Path Finder
‎11-14-2019 08:06 AM

hi @Skins

did you resolve this issue?

0 Karma
Reply

p_gurav
Champion
‎12-27-2018 12:19 AM

Where you are putting INDEXED_EXTRACTIONS = csv this seeting?

0 Karma
Reply

alexstanley
New Member
‎08-27-2019 09:15 PM

where you able to resolve this issue @Skins ?

0 Karma
Reply

p_gurav
Champion
‎12-27-2018 01:52 AM

Can you give what setting you configured for sourcetype on HF and SH?

0 Karma
Reply

Skins
Path Finder
‎01-02-2019 07:26 PM

[mscs:storage:blob:csv]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = date
category = Structured
description = csv files from azure blob
disabled = false
pulldown_type = true

0 Karma
Reply

Skins
Path Finder
‎01-02-2019 09:43 PM

I tried again - and manually downloaded a csv file from blob storage using Azure blob explorer
If i manually add the file to the HF it is indexed using the sourcetype correctly and indexed fileds are shown and searchable from the SH (this is a HF > IDX > SH Scenario)

If i then enable the blob collection again using the mscs app - just get headers

date,level,applicationName,instanceId,eventTickCount,eventId,pid,tid,message,activityId
host =XXXX source =blah/2018/09/16/09/logname.csv sourcetype = mscs:storage:blob:csv

0 Karma
Reply

rfoucault
New Member
‎03-17-2021 01:35 AM

Hello,

I'm coming to you, I'm trying to implement a BLOB to a splunk like you. I have the same concern that you have found a solution to this problem?

Have a good day

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top