All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to configure the REST API Modular Input to parse and extract CSV header and timestamp fields?

achusa
Loves-to-Learn Everything
‎12-21-2020 01:49 AM

Hi,

I have configured the REST API Modular Input to receive CSV data using the default handler and having "response_type = text" in inputs.conf.
Now I am trying to make Splunk identify the header fields

event sample:

 

 

 

Endpoint Name,Site,Last Logged In User,Group,Domain,Account,Console Visible IP,Agent Version,Last Active,Subscribed On,Health Status,Device Type,OS,OS Version,Architecture,Memory,CPU Count,Core Count,MAC Address,Management Connectivity,Network Status,Update Status,Scan Status,IP Addresses,Pending Uninstall,Disk Encryption,Vulnerability Status,Agent UUID,Agent ID,Customer Identifier,Console Migration Status,Locations,Agent Operational State
123,Servers,N/A,AWS - Citrix XenApp,CHN,123,54.211.215.107,4.3.2.86,2020-12-21T09:28:41.047625Z,2020-06-19T13:08:24.023922Z,Healthy,server,Windows,"Windows Server 2016 Datacenter,14393",64 bit,32 GB,8,8,"['01:61:81:ed:11:aa', '02:67:80:ed:11:aa', '02:67:80:ed:11:aa', '02:67:80:ed:11:aa']",Online,Connected,Up to date,Completed (2020-06-19T16:16:38.500116Z),"['10.11.118.141', 'fe80::d861:311:4109:ec4e', 'fe80::d81c:371:4109:ec4e', '10.222.122.116']",No,Off,Requires patching,83b3c93437b349a3b5c378ecadd11,917238114889702111,N/A,N/A,"['tt', 'ec']",Not disabled by the user
1223,Servers,N/A,AWS - Citrix XenApp,CHN,121,54.211.215.107,4.3.2.86,2020-12-21T09:28:41.047625Z,2020-06-19T13:08:24.023922Z,Healthy,server,Windows,"Windows Server 2016 Datacenter,14393",64 bit,32 GB,8,8,"['01:61:81:ed:11:aa', '02:67:80:ed:11:aa', '02:67:80:ed:11:aa', '02:67:80:ed:11:aa']",Online,Connected,Up to date,Completed (2020-06-19T16:16:38.500116Z),"['10.11.118.141', 'fe80::d861:311:4109:ec4e', 'fe80::d81c:371:4109:ec4e', '10.222.122.116']",No,Off,Requires patching,83b3c93437b349a3b5c378ecadd11,917238114889702111,N/A,N/A,"['tt', 'ec']",Not disabled by the user

 

 

 

The Rest API get the CSV file and it seems like Splunk cannot handle it as CSV:

https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Extractfieldsfromfileswithstructureddata

It does not work with modular inputs, network inputs, or any other type of input.

Is this correct? If so, how do I let this csv file can be indexed as CSV file and identity the header fields correctly?

 

Labels (1)
Labels
0 Karma
Reply

madhav_dholakia
Contributor
‎06-24-2021 11:45 PM

Hi @achusa.

I am facing the same issue - have you got a resolution for this? Is there any alternate (like making any changes in conf files) other than writing scripts/transforms to extract the required data?

Thank you.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...