All Apps and Add-ons

Splunk App for Windows Infrastructure: Why is UI performance poor and splunkd.log is reporting CSV parsing errors?

lycollicott
Motivator

I followed the setup and I am very disappointed with the results. I assume that it is indexing events as designed, because there are events in the msad index. The UI is slow. Pages do not populate on first load and have to be refreshed. Many dashboards - especially for AD - return no data. The splunkd.log is filling with these 4 lines every second:

12-08-2015 09:05:53.293 -0400 WARN  SearchResults - R:\app\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_processes_process.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header
12-08-2015 09:05:53.293 -0400 WARN  SearchResults - R:\app\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_processes_system.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header
12-08-2015 09:05:53.293 -0400 WARN  SearchResults - R:\app\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_services_service.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header
12-08-2015 09:05:53.293 -0400 WARN  SearchResults - R:\app\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_services_system.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header
0 Karma

ryanlait
Explorer

I had the same issue and was able to stop the errors by adding the following into the csv's that were flagging errors for me:
a,b,c

If it still flags errors remember to disable the lookup definitions to those particular csv's.

This is probably only helpful if you are not using them though sorry.

I too am keen to know what "should" be in there.

0 Karma

napomokoetle
Communicator

Thanks for the tip ryanlait. Will only be back in office next week to try it out.

0 Karma

arcdevil
Path Finder

For me helped:
During running Splunk I have deleted csv files and restarted Splunk process. No more log errors

0 Karma

scc00
Contributor

Does anyone have a copy of the correct .csv for this?

0 Karma

lycollicott
Motivator

I got this explanation from Splunk Support:

"Those lookups are related to Hostmon inputs. If you're not using the hostmon inputs on your windows forwarders, then these won't be populated. If you like, and you're not using hostmon, you can put in some headers and it will stop complaining about the lookups. Just edit the files, and put "a,b,c" in the top line of each one. Splunk should stop complaining about them then. Now, if you are using hostmon, then there could be an issue there. "

0 Karma

americob
Explorer

I'm also getting the same errors on splunkd.log:
12-09-2015 13:15:04.399 -0800 WARN SearchResults - C:\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_services_system.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header

0 Karma

lycollicott
Motivator

I opened a case, so I'll pass along anything I find out.

0 Karma

lycollicott
Motivator

I got this explanation from Splunk Support:

"Those lookups are related to Hostmon inputs. If you're not using the hostmon inputs on your windows forwarders, then these won't be populated. If you like, and you're not using hostmon, you can put in some headers and it will stop complaining about the lookups. Just edit the files, and put "a,b,c" in the top line of each one. Splunk should stop complaining about them then. Now, if you are using hostmon, then there could be an issue there. "

0 Karma

napomokoetle
Communicator

Hi lycollicott,

Have you received any feedback from Splunk? Would be interesting to get an official helpful response.

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...