All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure the REST API Modular Input to parse and extract CSV header and timestamp fields?

achusa
Loves-to-Learn Everything
‎12-21-2020 01:49 AM

Hi,

I have configured the REST API Modular Input to receive CSV data using the default handler and having "response_type = text" in inputs.conf.
Now I am trying to make Splunk identify the header fields

event sample:

 

 

 

Endpoint Name,Site,Last Logged In User,Group,Domain,Account,Console Visible IP,Agent Version,Last Active,Subscribed On,Health Status,Device Type,OS,OS Version,Architecture,Memory,CPU Count,Core Count,MAC Address,Management Connectivity,Network Status,Update Status,Scan Status,IP Addresses,Pending Uninstall,Disk Encryption,Vulnerability Status,Agent UUID,Agent ID,Customer Identifier,Console Migration Status,Locations,Agent Operational State
123,Servers,N/A,AWS - Citrix XenApp,CHN,123,54.211.215.107,4.3.2.86,2020-12-21T09:28:41.047625Z,2020-06-19T13:08:24.023922Z,Healthy,server,Windows,"Windows Server 2016 Datacenter,14393",64 bit,32 GB,8,8,"['01:61:81:ed:11:aa', '02:67:80:ed:11:aa', '02:67:80:ed:11:aa', '02:67:80:ed:11:aa']",Online,Connected,Up to date,Completed (2020-06-19T16:16:38.500116Z),"['10.11.118.141', 'fe80::d861:311:4109:ec4e', 'fe80::d81c:371:4109:ec4e', '10.222.122.116']",No,Off,Requires patching,83b3c93437b349a3b5c378ecadd11,917238114889702111,N/A,N/A,"['tt', 'ec']",Not disabled by the user
1223,Servers,N/A,AWS - Citrix XenApp,CHN,121,54.211.215.107,4.3.2.86,2020-12-21T09:28:41.047625Z,2020-06-19T13:08:24.023922Z,Healthy,server,Windows,"Windows Server 2016 Datacenter,14393",64 bit,32 GB,8,8,"['01:61:81:ed:11:aa', '02:67:80:ed:11:aa', '02:67:80:ed:11:aa', '02:67:80:ed:11:aa']",Online,Connected,Up to date,Completed (2020-06-19T16:16:38.500116Z),"['10.11.118.141', 'fe80::d861:311:4109:ec4e', 'fe80::d81c:371:4109:ec4e', '10.222.122.116']",No,Off,Requires patching,83b3c93437b349a3b5c378ecadd11,917238114889702111,N/A,N/A,"['tt', 'ec']",Not disabled by the user

 

 

 

The Rest API get the CSV file and it seems like Splunk cannot handle it as CSV:

https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Extractfieldsfromfileswithstructureddata

It does not work with modular inputs, network inputs, or any other type of input.

Is this correct? If so, how do I let this csv file can be indexed as CSV file and identity the header fields correctly?

 

Labels (1)
Labels
0 Karma
Reply

madhav_dholakia
Contributor
‎06-24-2021 11:45 PM

Hi @achusa.

I am facing the same issue - have you got a resolution for this? Is there any alternate (like making any changes in conf files) other than writing scripts/transforms to extract the required data?

Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...