All Apps and Add-ons

Splunk App for Windows Infrastructure: Why is UI performance poor and splunkd.log is reporting CSV parsing errors?

lycollicott
Motivator

I followed the setup and I am very disappointed with the results. I assume that it is indexing events as designed, because there are events in the msad index. The UI is slow. Pages do not populate on first load and have to be refreshed. Many dashboards - especially for AD - return no data. The splunkd.log is filling with these 4 lines every second:

12-08-2015 09:05:53.293 -0400 WARN  SearchResults - R:\app\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_processes_process.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header
12-08-2015 09:05:53.293 -0400 WARN  SearchResults - R:\app\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_processes_system.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header
12-08-2015 09:05:53.293 -0400 WARN  SearchResults - R:\app\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_services_service.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header
12-08-2015 09:05:53.293 -0400 WARN  SearchResults - R:\app\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_services_system.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header
0 Karma

ryanlait
Explorer

I had the same issue and was able to stop the errors by adding the following into the csv's that were flagging errors for me:
a,b,c

If it still flags errors remember to disable the lookup definitions to those particular csv's.

This is probably only helpful if you are not using them though sorry.

I too am keen to know what "should" be in there.

0 Karma

napomokoetle
Communicator

Thanks for the tip ryanlait. Will only be back in office next week to try it out.

0 Karma

arcdevil
Path Finder

For me helped:
During running Splunk I have deleted csv files and restarted Splunk process. No more log errors

0 Karma

scc00
Contributor

Does anyone have a copy of the correct .csv for this?

0 Karma

lycollicott
Motivator

I got this explanation from Splunk Support:

"Those lookups are related to Hostmon inputs. If you're not using the hostmon inputs on your windows forwarders, then these won't be populated. If you like, and you're not using hostmon, you can put in some headers and it will stop complaining about the lookups. Just edit the files, and put "a,b,c" in the top line of each one. Splunk should stop complaining about them then. Now, if you are using hostmon, then there could be an issue there. "

0 Karma

americob
Explorer

I'm also getting the same errors on splunkd.log:
12-09-2015 13:15:04.399 -0800 WARN SearchResults - C:\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_services_system.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header

0 Karma

lycollicott
Motivator

I opened a case, so I'll pass along anything I find out.

0 Karma

lycollicott
Motivator

I got this explanation from Splunk Support:

"Those lookups are related to Hostmon inputs. If you're not using the hostmon inputs on your windows forwarders, then these won't be populated. If you like, and you're not using hostmon, you can put in some headers and it will stop complaining about the lookups. Just edit the files, and put "a,b,c" in the top line of each one. Splunk should stop complaining about them then. Now, if you are using hostmon, then there could be an issue there. "

0 Karma

napomokoetle
Communicator

Hi lycollicott,

Have you received any feedback from Splunk? Would be interesting to get an official helpful response.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...