Splunk App for Windows Infrastructure: Why is UI p...

lycollicott · ‎12-08-2015

I followed the setup and I am very disappointed with the results. I assume that it is indexing events as designed, because there are events in the msad index. The UI is slow. Pages do not populate on first load and have to be refreshed. Many dashboards - especially for AD - return no data. The splunkd.log is filling with these 4 lines every second:

12-08-2015 09:05:53.293 -0400 WARN  SearchResults - R:\app\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_processes_process.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header
12-08-2015 09:05:53.293 -0400 WARN  SearchResults - R:\app\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_processes_system.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header
12-08-2015 09:05:53.293 -0400 WARN  SearchResults - R:\app\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_services_service.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header
12-08-2015 09:05:53.293 -0400 WARN  SearchResults - R:\app\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_services_system.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header

ryanlait · ‎01-04-2016

I had the same issue and was able to stop the errors by adding the following into the csv's that were flagging errors for me:
a,b,c

If it still flags errors remember to disable the lookup definitions to those particular csv's.

This is probably only helpful if you are not using them though sorry.

I too am keen to know what "should" be in there.

napomokoetle · ‎01-04-2016

Thanks for the tip ryanlait. Will only be back in office next week to try it out.

arcdevil · ‎12-23-2015

For me helped:
During running Splunk I have deleted csv files and restarted Splunk process. No more log errors

scc00 · ‎12-28-2015

Does anyone have a copy of the correct .csv for this?

lycollicott · ‎01-18-2016

I got this explanation from Splunk Support:

"Those lookups are related to Hostmon inputs. If you're not using the hostmon inputs on your windows forwarders, then these won't be populated. If you like, and you're not using hostmon, you can put in some headers and it will stop complaining about the lookups. Just edit the files, and put "a,b,c" in the top line of each one. Splunk should stop complaining about them then. Now, if you are using hostmon, then there could be an issue there. "

americob · ‎12-09-2015

I'm also getting the same errors on splunkd.log:
12-09-2015 13:15:04.399 -0800 WARN SearchResults - C:\Splunk\etc\apps\splunk_app_windows_infrastructure\lookups\windows_services_system.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header

lycollicott · ‎12-14-2015

I opened a case, so I'll pass along anything I find out.

lycollicott · ‎01-18-2016

I got this explanation from Splunk Support:

"Those lookups are related to Hostmon inputs. If you're not using the hostmon inputs on your windows forwarders, then these won't be populated. If you like, and you're not using hostmon, you can put in some headers and it will stop complaining about the lookups. Just edit the files, and put "a,b,c" in the top line of each one. Splunk should stop complaining about them then. Now, if you are using hostmon, then there could be an issue there. "

napomokoetle · ‎01-12-2016

Hi lycollicott,

Have you received any feedback from Splunk? Would be interesting to get an official helpful response.

Splunk App for Windows Infrastructure: Why is UI performance poor and splunkd.log is reporting CSV parsing errors?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?