All Apps and Add-ons

How to configure the REST API Modular Input to parse and extract CSV header and timestamp fields?

achusa
Loves-to-Learn Everything

Hi,

I have configured the REST API Modular Input to receive CSV data using the default handler and having "response_type = text" in inputs.conf.
Now I am trying to make Splunk identify the header fields

event sample:

 

 

 

Endpoint Name,Site,Last Logged In User,Group,Domain,Account,Console Visible IP,Agent Version,Last Active,Subscribed On,Health Status,Device Type,OS,OS Version,Architecture,Memory,CPU Count,Core Count,MAC Address,Management Connectivity,Network Status,Update Status,Scan Status,IP Addresses,Pending Uninstall,Disk Encryption,Vulnerability Status,Agent UUID,Agent ID,Customer Identifier,Console Migration Status,Locations,Agent Operational State
123,Servers,N/A,AWS - Citrix XenApp,CHN,123,54.211.215.107,4.3.2.86,2020-12-21T09:28:41.047625Z,2020-06-19T13:08:24.023922Z,Healthy,server,Windows,"Windows Server 2016 Datacenter,14393",64 bit,32 GB,8,8,"['01:61:81:ed:11:aa', '02:67:80:ed:11:aa', '02:67:80:ed:11:aa', '02:67:80:ed:11:aa']",Online,Connected,Up to date,Completed (2020-06-19T16:16:38.500116Z),"['10.11.118.141', 'fe80::d861:311:4109:ec4e', 'fe80::d81c:371:4109:ec4e', '10.222.122.116']",No,Off,Requires patching,83b3c93437b349a3b5c378ecadd11,917238114889702111,N/A,N/A,"['tt', 'ec']",Not disabled by the user
1223,Servers,N/A,AWS - Citrix XenApp,CHN,121,54.211.215.107,4.3.2.86,2020-12-21T09:28:41.047625Z,2020-06-19T13:08:24.023922Z,Healthy,server,Windows,"Windows Server 2016 Datacenter,14393",64 bit,32 GB,8,8,"['01:61:81:ed:11:aa', '02:67:80:ed:11:aa', '02:67:80:ed:11:aa', '02:67:80:ed:11:aa']",Online,Connected,Up to date,Completed (2020-06-19T16:16:38.500116Z),"['10.11.118.141', 'fe80::d861:311:4109:ec4e', 'fe80::d81c:371:4109:ec4e', '10.222.122.116']",No,Off,Requires patching,83b3c93437b349a3b5c378ecadd11,917238114889702111,N/A,N/A,"['tt', 'ec']",Not disabled by the user

 

 

 

The Rest API get the CSV file and it seems like Splunk cannot handle it as CSV:

https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Extractfieldsfromfileswithstructureddata

It does not work with modular inputs, network inputs, or any other type of input.

Is this correct? If so, how do I let this csv file can be indexed as CSV file and identity the header fields correctly?

 

Labels (1)
0 Karma

madhav_dholakia
Communicator

Hi @achusa.

I am facing the same issue - have you got a resolution for this? Is there any alternate (like making any changes in conf files) other than writing scripts/transforms to extract the required data?

Thank you.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...