We have Splunk Cloud in our environment and we installed the Citrix Netscaler with Appflow app. The app seems to be working ok, but we are seeing errors regarding the following:
+0000 WARN SearchResults - /opt/splunk/etc/apps/SplunkforCitrixNetScaler/lookups/appid_lookup.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header
I do have this file listed under lookups and lookup definitions and currently it has global permissions, however, the error above is shown. The app is present on the search heads and heavy forwarder (forwarder receiving events). I created a lookup folder on the TA app on the heavy forwarder and added the file there from the SplunkforCitrixNetscaler app folder. The issue still persists. Any idea what can be wrong?
Thanks for the reply. I attempted running it and didnt see any events populate so I ran it manually
"eventtype="netscaler_appflow" appName | stats values(appName) AS "appName" by appID | outputlookup appid_lookup.csv"
and still no events are seen. I also ran it as just "eventtype="netscaler_appflow" appName" and also didnt receive events. Could it be that the Netscaler isnt sending appName data?