topic Forcepoint Web Security add-on avoid csv header extraction in Splunk Cloud Platform

Forcepoint Web Security add-on avoid csv header extraction

SplunkExplorer — Mon, 17 Jul 2023 13:25:08 GMT

Hi Splunkers, in our environment we onboarded Forcepoint Cloud logs following this guide.
In a nuthsell, we have to use a script that regularly pulls data from cloud and place them on a HF, as .csv files; then, info are sent to Splunk Cloud.

We got the following problem: logs are always of 2 types, the correct one and the "empty one":

As you can see, we have only the field labels, not values. Working with support, we discovered that a possible root case is in the add-on, that sometimes extract the .csv header and manage it like data. So, if we want to solve the problem and avoid to change the script, we could fix the problem going in props.conf of add-on used to parse, which is Splunk Add-on for Forcepoint Web Security , perform a change and take the correct logs.

So, the question is: if I have to tell in a props.conf "Hey, don't extract the .csv headers", which syntax I have to use?

Re: Forcepoint Web Security add-on avoid csv header extraction

m_pham — Fri, 21 Jul 2023 10:19:58 GMT

Hi there, if the add-on you're using is just ingesting a the CSV file itself, then you can use the following configuration below to tell Splunk about the header fields so it doesn't ingest them.

[my_sourcetype] # Specifies the line number of the line within the file that contains the header fields. If set to 0, Splunk attempts to locate the header fields within the file automatically. HEADER_FIELD_LINE_NUMBER = 0 # Specifies which character delimits or separates field names in the header line. You can specify special characters in this attribute. If HEADER_FIELD_DELIMITER is not specified, FIELD_DELIMITER applies to the header line. HEADER_FIELD_DELIMITER = ,

More details on ingesting structured data can be found here:

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/Data/Extractfieldsfromfileswithstructureddata