Splunk Search

csv file in blob storage

Skins
Path Finder

I am ingesting from blob storage and have downloaded an example of the file and uploaded to a standalone box and created a new sourcetype and all working as expected.

using INDEXED_EXTRACTIONS = csv

moving to my tierd environment the blob storage is collected via app running on the HF - so i have added the new sourcetype defined there and also on the SH - nothing on the indexing tier.

however searching from the SH tier - the sourcetype is shown but the fields are not extracted.

what could i be missing ?

gratzi

Tags (1)
0 Karma

rajasekhar14
Path Finder

hi @Skins

did you resolve this issue?

0 Karma

p_gurav
Champion

Where you are putting INDEXED_EXTRACTIONS = csv this seeting?

0 Karma

alexstanley
New Member

where you able to resolve this issue @Skins ?

0 Karma

p_gurav
Champion

Can you give what setting you configured for sourcetype on HF and SH?

0 Karma

Skins
Path Finder

[mscs:storage:blob:csv]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = date
category = Structured
description = csv files from azure blob
disabled = false
pulldown_type = true

0 Karma

Skins
Path Finder

I tried again - and manually downloaded a csv file from blob storage using Azure blob explorer
If i manually add the file to the HF it is indexed using the sourcetype correctly and indexed fileds are shown and searchable from the SH (this is a HF > IDX > SH Scenario)

If i then enable the blob collection again using the mscs app - just get headers

date,level,applicationName,instanceId,eventTickCount,eventId,pid,tid,message,activityId
host =XXXX source =blah/2018/09/16/09/logname.csv sourcetype = mscs:storage:blob:csv

0 Karma

rfoucault
New Member

Hello,

I'm coming to you, I'm trying to implement a BLOB to a splunk like you. I have the same concern that you have found a solution to this problem?

Have a good day

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...