Getting Data In

How to extract multiline cell value in a CSV into an individual field for an event?

astackpole
Path Finder

Hi All,

I'm having issues with ingesting my CSV files properly into Splunk and did not come across any current Q&A that could help my specific issue.

An example of a couple rows of data in my CSV are as follows with their respective header field at the top of the file,

Plugin ID CVE CVSS v2.0 Base Score Risk Host Protocol Port Name Synopsis Description Solution See Also Plugin Output STIG Severity CVSS v3.0 Base Score CVSS v2.0 Temporal Score CVSS v3.0 Temporal Score Risk Factor BID XREF MSKB Plugin Publication Date Plugin Modification Date Metasploit Core Impact CANVAS              
135860     None host2.web.com tcp 445 WMI Not Available WMI queries could not be made against the remote host. WMI (Windows Management Instrumentation) is not available on the
remote host over DCOM. WMI queries are used to gather information
about the remote host, such as its current state, network interface
configuration, etc.

Without this information Nessus may not be able to identify installed
software or security vunerabilities that exist on the remote host.
n/a https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page Can't connect to the 'root\CIMV2' WMI namespace.   None       4/21/20 12/21/22                    
166602     None host2.web.com tcp 0 Asset Attribute: Fully Qualified Domain Name (FQDN) Report Fully Qualified Domain Name (FQDN) for the remote host. Report Fully Qualified Domain Name (FQDN) for the remote host. n/a   The FQDN for the remote host has been determined to be:

  FQDN       : host2.web.com
  Confidence : 100
  Resolves   : True
  Method     : rDNS Lookup: IP Address

Another possible FQDN was also detected:
        None       10/27/22 10/27/22                    

 

For the second event's Plugin Output field, it keeps reading each new line as a new row. A lot of the rows contain similar data which is causing there to be far more logged events than there are rows in the CSV file. 

How can I ensure these fields get parsed properly to keep each row within one event and each cell as it's own field? I have tried a handful of configurations and am currently working with the following,

props.conf

 

 

[csv]
INDEXED_EXTRACTIONS = csv
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
CHARSET = AUTO
KV_MODE = none
pulldown_type = true

[scan_reports]
REPORT-scan_reports = csv_fields

 

 

transforms.conf

 

 

[csv_fields]
DELIMS = ","
FIELDS = "Plugin ID", "CVE", CVSS v2.0 Base Score", "Risk", "Host", "Protocol", "Port", "Name", "Synposis", "Description", "Solution", "See Also", "Plugin Output", "STIG Severity", "CVSS v3.0 Base Score", "CVSS v2.0 Temporal Score",	"CVSS v3.0 Temporal Score", "Risk Factor", "BID", "XREF", "MSKB", "Plugin Publication Date", "Plugin Modification Date", "Metasploit", "Core Impact", "CANVAS"

 

 

 

Any help will be greatly appreciated! 

Labels (4)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

For Splunk to process them properly, multi-line fields in a CSV should be enclosed in quotation marks.  Likewise, for fields with embedded commas (like Description).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...