How to extract multiline cell value in a CSV into an individual field for an event?

astackpole — Fri, 14 Apr 2023 16:22:42 GMT

Hi All,

I'm having issues with ingesting my CSV files properly into Splunk and did not come across any current Q&A that could help my specific issue.

An example of a couple rows of data in my CSV are as follows with their respective header field at the top of the file,

Plugin ID

CVE

CVSS v2.0 Base Score

Risk

Host

Protocol

Port

Name

Synopsis

Description

Solution

See Also

Plugin Output

STIG Severity

CVSS v3.0 Base Score

CVSS v2.0 Temporal Score

CVSS v3.0 Temporal Score

Risk Factor

BID

XREF

MSKB

Plugin Publication Date

Plugin Modification Date

Metasploit

Core Impact

CANVAS

135860

None

host2.web.com

tcp

445

WMI Not Available

WMI queries could not be made against the remote host.

WMI (Windows Management Instrumentation) is not available on the
remote host over DCOM. WMI queries are used to gather information
about the remote host, such as its current state, network interface
configuration, etc.

Without this information Nessus may not be able to identify installed
software or security vunerabilities that exist on the remote host.

n/a

https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page

Can't connect to the 'root\CIMV2' WMI namespace.

None

4/21/20

12/21/22

166602

None

host2.web.com

tcp

Asset Attribute: Fully Qualified Domain Name (FQDN)

Report Fully Qualified Domain Name (FQDN) for the remote host.

n/a

The FQDN for the remote host has been determined to be:

FQDN       : host2.web.com
Confidence : 100
Resolves   : True
Method     : rDNS Lookup: IP Address

Another possible FQDN was also detected:

None

10/27/22

For the second event's Plugin Output field, it keeps reading each new line as a new row. A lot of the rows contain similar data which is causing there to be far more logged events than there are rows in the CSV file.

How can I ensure these fields get parsed properly to keep each row within one event and each cell as it's own field? I have tried a handful of configurations and am currently working with the following,

props.conf

[csv] INDEXED_EXTRACTIONS = csv DATETIME_CONFIG = CURRENT SHOULD_LINEMERGE = true NO_BINARY_CHECK = true CHARSET = AUTO KV_MODE = none pulldown_type = true [scan_reports] REPORT-scan_reports = csv_fields

transforms.conf

[csv_fields] DELIMS = "," FIELDS = "Plugin ID", "CVE", CVSS v2.0 Base Score", "Risk", "Host", "Protocol", "Port", "Name", "Synposis", "Description", "Solution", "See Also", "Plugin Output", "STIG Severity", "CVSS v3.0 Base Score", "CVSS v2.0 Temporal Score", "CVSS v3.0 Temporal Score", "Risk Factor", "BID", "XREF", "MSKB", "Plugin Publication Date", "Plugin Modification Date", "Metasploit", "Core Impact", "CANVAS"

Any help will be greatly appreciated!

Re: Extracting multiline cell value in a CSV into an individual field for an event

richgalloway — Fri, 14 Apr 2023 00:21:29 GMT

For Splunk to process them properly, multi-line fields in a CSV should be enclosed in quotation marks. Likewise, for fields with embedded commas (like Description).

topic Re: Extracting multiline cell value in a CSV into an individual field for an event in Getting Data In

How to extract multiline cell value in a CSV into an individual field for an event?

Re: Extracting multiline cell value in a CSV into an individual field for an event