Getting Data In

How to extract multiline cell value in a CSV into an individual field for an event?

astackpole
Path Finder

Hi All,

I'm having issues with ingesting my CSV files properly into Splunk and did not come across any current Q&A that could help my specific issue.

An example of a couple rows of data in my CSV are as follows with their respective header field at the top of the file,

Plugin ID CVE CVSS v2.0 Base Score Risk Host Protocol Port Name Synopsis Description Solution See Also Plugin Output STIG Severity CVSS v3.0 Base Score CVSS v2.0 Temporal Score CVSS v3.0 Temporal Score Risk Factor BID XREF MSKB Plugin Publication Date Plugin Modification Date Metasploit Core Impact CANVAS              
135860     None host2.web.com tcp 445 WMI Not Available WMI queries could not be made against the remote host. WMI (Windows Management Instrumentation) is not available on the
remote host over DCOM. WMI queries are used to gather information
about the remote host, such as its current state, network interface
configuration, etc.

Without this information Nessus may not be able to identify installed
software or security vunerabilities that exist on the remote host.
n/a https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page Can't connect to the 'root\CIMV2' WMI namespace.   None       4/21/20 12/21/22                    
166602     None host2.web.com tcp 0 Asset Attribute: Fully Qualified Domain Name (FQDN) Report Fully Qualified Domain Name (FQDN) for the remote host. Report Fully Qualified Domain Name (FQDN) for the remote host. n/a   The FQDN for the remote host has been determined to be:

  FQDN       : host2.web.com
  Confidence : 100
  Resolves   : True
  Method     : rDNS Lookup: IP Address

Another possible FQDN was also detected:
        None       10/27/22 10/27/22                    

 

For the second event's Plugin Output field, it keeps reading each new line as a new row. A lot of the rows contain similar data which is causing there to be far more logged events than there are rows in the CSV file. 

How can I ensure these fields get parsed properly to keep each row within one event and each cell as it's own field? I have tried a handful of configurations and am currently working with the following,

props.conf

 

 

[csv]
INDEXED_EXTRACTIONS = csv
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
CHARSET = AUTO
KV_MODE = none
pulldown_type = true

[scan_reports]
REPORT-scan_reports = csv_fields

 

 

transforms.conf

 

 

[csv_fields]
DELIMS = ","
FIELDS = "Plugin ID", "CVE", CVSS v2.0 Base Score", "Risk", "Host", "Protocol", "Port", "Name", "Synposis", "Description", "Solution", "See Also", "Plugin Output", "STIG Severity", "CVSS v3.0 Base Score", "CVSS v2.0 Temporal Score",	"CVSS v3.0 Temporal Score", "Risk Factor", "BID", "XREF", "MSKB", "Plugin Publication Date", "Plugin Modification Date", "Metasploit", "Core Impact", "CANVAS"

 

 

 

Any help will be greatly appreciated! 

Labels (4)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

For Splunk to process them properly, multi-line fields in a CSV should be enclosed in quotation marks.  Likewise, for fields with embedded commas (like Description).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...