Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract multiline cell value in a CSV into an individual field for an event?

astackpole
Path Finder
‎04-13-2023 01:11 PM

Hi All,

I'm having issues with ingesting my CSV files properly into Splunk and did not come across any current Q&A that could help my specific issue.

An example of a couple rows of data in my CSV are as follows with their respective header field at the top of the file,

Plugin ID CVE CVSS v2.0 Base Score Risk Host Protocol Port Name Synopsis Description Solution See Also Plugin Output STIG Severity CVSS v3.0 Base Score CVSS v2.0 Temporal Score CVSS v3.0 Temporal Score Risk Factor BID XREF MSKB Plugin Publication Date Plugin Modification Date Metasploit Core Impact CANVAS              
135860     None host2.web.com tcp 445 WMI Not Available WMI queries could not be made against the remote host. WMI (Windows Management Instrumentation) is not available on the
remote host over DCOM. WMI queries are used to gather information
about the remote host, such as its current state, network interface
configuration, etc.

Without this information Nessus may not be able to identify installed
software or security vunerabilities that exist on the remote host.		 n/a https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page Can't connect to the 'root\CIMV2' WMI namespace.   None       4/21/20 12/21/22                    
166602     None host2.web.com tcp 0 Asset Attribute: Fully Qualified Domain Name (FQDN) Report Fully Qualified Domain Name (FQDN) for the remote host. Report Fully Qualified Domain Name (FQDN) for the remote host. n/a   The FQDN for the remote host has been determined to be:

  FQDN       : host2.web.com
  Confidence : 100
  Resolves   : True
  Method     : rDNS Lookup: IP Address

Another possible FQDN was also detected:		         None       10/27/22 10/27/22                    

 

For the second event's Plugin Output field, it keeps reading each new line as a new row. A lot of the rows contain similar data which is causing there to be far more logged events than there are rows in the CSV file. 

How can I ensure these fields get parsed properly to keep each row within one event and each cell as it's own field? I have tried a handful of configurations and am currently working with the following,

props.conf

 

 

[csv]
INDEXED_EXTRACTIONS = csv
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
CHARSET = AUTO
KV_MODE = none
pulldown_type = true

[scan_reports]
REPORT-scan_reports = csv_fields

 

 

transforms.conf

 

 

[csv_fields]
DELIMS = ","
FIELDS = "Plugin ID", "CVE", CVSS v2.0 Base Score", "Risk", "Host", "Protocol", "Port", "Name", "Synposis", "Description", "Solution", "See Also", "Plugin Output", "STIG Severity", "CVSS v3.0 Base Score", "CVSS v2.0 Temporal Score",	"CVSS v3.0 Temporal Score", "Risk Factor", "BID", "XREF", "MSKB", "Plugin Publication Date", "Plugin Modification Date", "Metasploit", "Core Impact", "CANVAS"

 

 

 

Any help will be greatly appreciated! 

Labels (4)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-13-2023 05:20 PM

For Splunk to process them properly, multi-line fields in a CSV should be enclosed in quotation marks.  Likewise, for fields with embedded commas (like Description).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...