Splunk Search

csv file in blob storage

Skins
Path Finder

I am ingesting from blob storage and have downloaded an example of the file and uploaded to a standalone box and created a new sourcetype and all working as expected.

using INDEXED_EXTRACTIONS = csv

moving to my tierd environment the blob storage is collected via app running on the HF - so i have added the new sourcetype defined there and also on the SH - nothing on the indexing tier.

however searching from the SH tier - the sourcetype is shown but the fields are not extracted.

what could i be missing ?

gratzi

Tags (1)
0 Karma

rajasekhar14
Path Finder

hi @Skins

did you resolve this issue?

0 Karma

p_gurav
Champion

Where you are putting INDEXED_EXTRACTIONS = csv this seeting?

0 Karma

alexstanley
New Member

where you able to resolve this issue @Skins ?

0 Karma

p_gurav
Champion

Can you give what setting you configured for sourcetype on HF and SH?

0 Karma

Skins
Path Finder

[mscs:storage:blob:csv]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = date
category = Structured
description = csv files from azure blob
disabled = false
pulldown_type = true

0 Karma

Skins
Path Finder

I tried again - and manually downloaded a csv file from blob storage using Azure blob explorer
If i manually add the file to the HF it is indexed using the sourcetype correctly and indexed fileds are shown and searchable from the SH (this is a HF > IDX > SH Scenario)

If i then enable the blob collection again using the mscs app - just get headers

date,level,applicationName,instanceId,eventTickCount,eventId,pid,tid,message,activityId
host =XXXX source =blah/2018/09/16/09/logname.csv sourcetype = mscs:storage:blob:csv

0 Karma

rfoucault
New Member

Hello,

I'm coming to you, I'm trying to implement a BLOB to a splunk like you. I have the same concern that you have found a solution to this problem?

Have a good day

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...