All Apps and Add-ons

How to configure the REST API Modular Input to parse and extract CSV header and timestamp fields?

achusa
Loves-to-Learn Everything

Hi,

I have configured the REST API Modular Input to receive CSV data using the default handler and having "response_type = text" in inputs.conf.
Now I am trying to make Splunk identify the header fields

event sample:

 

 

 

Endpoint Name,Site,Last Logged In User,Group,Domain,Account,Console Visible IP,Agent Version,Last Active,Subscribed On,Health Status,Device Type,OS,OS Version,Architecture,Memory,CPU Count,Core Count,MAC Address,Management Connectivity,Network Status,Update Status,Scan Status,IP Addresses,Pending Uninstall,Disk Encryption,Vulnerability Status,Agent UUID,Agent ID,Customer Identifier,Console Migration Status,Locations,Agent Operational State
123,Servers,N/A,AWS - Citrix XenApp,CHN,123,54.211.215.107,4.3.2.86,2020-12-21T09:28:41.047625Z,2020-06-19T13:08:24.023922Z,Healthy,server,Windows,"Windows Server 2016 Datacenter,14393",64 bit,32 GB,8,8,"['01:61:81:ed:11:aa', '02:67:80:ed:11:aa', '02:67:80:ed:11:aa', '02:67:80:ed:11:aa']",Online,Connected,Up to date,Completed (2020-06-19T16:16:38.500116Z),"['10.11.118.141', 'fe80::d861:311:4109:ec4e', 'fe80::d81c:371:4109:ec4e', '10.222.122.116']",No,Off,Requires patching,83b3c93437b349a3b5c378ecadd11,917238114889702111,N/A,N/A,"['tt', 'ec']",Not disabled by the user
1223,Servers,N/A,AWS - Citrix XenApp,CHN,121,54.211.215.107,4.3.2.86,2020-12-21T09:28:41.047625Z,2020-06-19T13:08:24.023922Z,Healthy,server,Windows,"Windows Server 2016 Datacenter,14393",64 bit,32 GB,8,8,"['01:61:81:ed:11:aa', '02:67:80:ed:11:aa', '02:67:80:ed:11:aa', '02:67:80:ed:11:aa']",Online,Connected,Up to date,Completed (2020-06-19T16:16:38.500116Z),"['10.11.118.141', 'fe80::d861:311:4109:ec4e', 'fe80::d81c:371:4109:ec4e', '10.222.122.116']",No,Off,Requires patching,83b3c93437b349a3b5c378ecadd11,917238114889702111,N/A,N/A,"['tt', 'ec']",Not disabled by the user

 

 

 

The Rest API get the CSV file and it seems like Splunk cannot handle it as CSV:

https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Extractfieldsfromfileswithstructureddata

It does not work with modular inputs, network inputs, or any other type of input.

Is this correct? If so, how do I let this csv file can be indexed as CSV file and identity the header fields correctly?

 

Labels (1)
0 Karma

madhav_dholakia
Communicator

Hi @achusa.

I am facing the same issue - have you got a resolution for this? Is there any alternate (like making any changes in conf files) other than writing scripts/transforms to extract the required data?

Thank you.

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...