<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: HTTP Event Collector and CSV files in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/HTTP-Event-Collector-and-CSV-files/m-p/323581#M60253</link>
    <description>&lt;P&gt;@skhedim Hey, I am facing the same problem. Did you find a solution for it?&lt;/P&gt;</description>
    <pubDate>Tue, 09 Jul 2019 06:22:10 GMT</pubDate>
    <dc:creator>cbhattad1</dc:creator>
    <dc:date>2019-07-09T06:22:10Z</dc:date>
    <item>
      <title>HTTP Event Collector and CSV files</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/HTTP-Event-Collector-and-CSV-files/m-p/323578#M60250</link>
      <description>&lt;P&gt;Hello,&lt;/P&gt;

&lt;P&gt;I would like to know if it was possible to send a CSV to the HEC, and to take into consideration the names of the columns in the index. Here is my CSV file:&lt;/P&gt;

&lt;P&gt;url,vuln,fix,severity,package,imageTag&lt;BR /&gt;
&lt;A href="https://security-tracker.debian.org/tracker/CVE-2018-1302,CVE-2018-1302,None,Unknown,apache2-2.4.25-3+deb9u3,docker.io/wordpress:latest"&gt;https://security-tracker.debian.org/tracker/CVE-2018-1302,CVE-2018-1302,None,Unknown,apache2-2.4.25-3+deb9u3,docker.io/wordpress:latest&lt;/A&gt;&lt;BR /&gt;
&lt;A href="https://security-tracker.debian.org/tracker/CVE-2007-3303,CVE-2007-3303,None,Negligible,apache2-2.4.25-3+deb9u3,docker.io/wordpress:latest"&gt;https://security-tracker.debian.org/tracker/CVE-2007-3303,CVE-2007-3303,None,Negligible,apache2-2.4.25-3+deb9u3,docker.io/wordpress:latest&lt;/A&gt;&lt;BR /&gt;
&lt;A href="https://security-tracker.debian.org/tracker/CVE-2003-1580,CVE-2003-1580,None,Negligible,apache2-2.4.25-3+deb9u3,docker.io/wordpress:latest"&gt;https://security-tracker.debian.org/tracker/CVE-2003-1580,CVE-2003-1580,None,Negligible,apache2-2.4.25-3+deb9u3,docker.io/wordpress:latest&lt;/A&gt;&lt;BR /&gt;
&lt;A href="https://security-tracker.debian.org/tracker/CVE-2003-1581,CVE-2003-1581,None,Negligible,apache2-2.4.25-3+deb9u3,docker.io/wordpress:latest"&gt;https://security-tracker.debian.org/tracker/CVE-2003-1581,CVE-2003-1581,None,Negligible,apache2-2.4.25-3+deb9u3,docker.io/wordpress:latest&lt;/A&gt;&lt;BR /&gt;
&lt;A href="https://security-tracker.debian.org/tracker/CVE-2008-0455,CVE-2008-0455,None,Negligible,apache2-2.4.25-3+deb9u3,docker.io/wordpress:latest"&gt;https://security-tracker.debian.org/tracker/CVE-2008-0455,CVE-2008-0455,None,Negligible,apache2-2.4.25-3+deb9u3,docker.io/wordpress:latest&lt;/A&gt;&lt;BR /&gt;
&lt;A href="https://security-tracker.debian.org/tracker/CVE-2001-1534,CVE-2001-1534,None,Negligible,apache2-2.4.25-3+deb9u3,docker.io/wordpress:latest"&gt;https://security-tracker.debian.org/tracker/CVE-2001-1534,CVE-2001-1534,None,Negligible,apache2-2.4.25-3+deb9u3,docker.io/wordpress:latest&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;I would like the url,vuln,fix,severity,... headers to be recognized as a column in splunk, to get a table.&lt;/P&gt;

&lt;P&gt;When I manually import my CSV file the fields are well recognized and everything works as I want. But with HEC, the headers line is simply added to the event list.&lt;/P&gt;

&lt;P&gt;To send my CSV to HEC, I use a python script and the PyHEC modue (github jonromero pyHEC) with this piece of code I send line by line the content of my CSV:&lt;/P&gt;

&lt;P&gt;with open("vuln.csv") as fp:&lt;BR /&gt;&lt;BR /&gt;
                            for line in fp:&lt;BR /&gt;
                                print hec.send(line)&lt;/P&gt;

&lt;P&gt;I also tried without a loop, but the whole CSV content is stored in a single event.&lt;/P&gt;

&lt;P&gt;I also tried field extraction, but I send 2 different CSVs in the same index, with different fields.&lt;/P&gt;

&lt;P&gt;I specify that this works with CSV files sent manually to splunk.&lt;/P&gt;

&lt;P&gt;Do you have an idea to make splunk recognize CSV headers when sending via HTTP Event Collector?&lt;/P&gt;

&lt;P&gt;Sincerely.&lt;/P&gt;</description>
      <pubDate>Mon, 09 Apr 2018 08:41:23 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/HTTP-Event-Collector-and-CSV-files/m-p/323578#M60250</guid>
      <dc:creator>skhedim</dc:creator>
      <dc:date>2018-04-09T08:41:23Z</dc:date>
    </item>
    <item>
      <title>Re: HTTP Event Collector and CSV files</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/HTTP-Event-Collector-and-CSV-files/m-p/323579#M60251</link>
      <description>&lt;P&gt;Use a dict reader in python to read it in as a list of dicts.&lt;/P&gt;

&lt;P&gt;Then send as the event dict.&lt;BR /&gt;
&lt;A href="https://github.com/georgestarcher/Splunk-Class-httpevent"&gt;https://github.com/georgestarcher/Splunk-Class-httpevent&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 09 Apr 2018 16:20:02 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/HTTP-Event-Collector-and-CSV-files/m-p/323579#M60251</guid>
      <dc:creator>starcher</dc:creator>
      <dc:date>2018-04-09T16:20:02Z</dc:date>
    </item>
    <item>
      <title>Re: HTTP Event Collector and CSV files</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/HTTP-Event-Collector-and-CSV-files/m-p/323580#M60252</link>
      <description>&lt;P&gt;What a great idea. I've been testing having users upload to a Heavy Forwarder, and then monitoring the app folder they upload to ingest the csv as a log instead of a lookup, however your approach seems much more pragmatic.&lt;/P&gt;</description>
      <pubDate>Tue, 19 Jun 2018 17:50:43 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/HTTP-Event-Collector-and-CSV-files/m-p/323580#M60252</guid>
      <dc:creator>bandit</dc:creator>
      <dc:date>2018-06-19T17:50:43Z</dc:date>
    </item>
    <item>
      <title>Re: HTTP Event Collector and CSV files</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/HTTP-Event-Collector-and-CSV-files/m-p/323581#M60253</link>
      <description>&lt;P&gt;@skhedim Hey, I am facing the same problem. Did you find a solution for it?&lt;/P&gt;</description>
      <pubDate>Tue, 09 Jul 2019 06:22:10 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/HTTP-Event-Collector-and-CSV-files/m-p/323581#M60253</guid>
      <dc:creator>cbhattad1</dc:creator>
      <dc:date>2019-07-09T06:22:10Z</dc:date>
    </item>
  </channel>
</rss>

