Solved: CSV file different format when downloaded from rep...

JMPP · ‎04-05-2024

Hi Everyone,

For some reason I'm getting different CSV format file when I downloaded vs from the report generated on scheduled report functionality.

- When I downloaded the file from the splunk search option I am getting some like:

{"timestamp: 2024-04-02T22:42:19.655Z
sequence: 735
blablaclasname: com.rr.jj.eee.rrr
anotherblablaclasnameName: com.rr.rr.rrrr.rrr
level: ERRROR

exceptionMessage: blablabc
....
}

- When I received by email the file using the same query I'm getting something like:
{"timestamp: 2024-04-02T22:42:19.655Z\nsequence: 735\nblablaclasname: com.rr.jj.eee.rrr\nanotherblablaclasnameName: com.rr.rr.rrrr.rrr\nlevel: ERRROR\n\nexceptionMessage: blablabc\n....}

*.conf file I am seeing:
LINE_BREAKER = \}(\,?[\r\n]+)\{?

Regards

tscroggins · ‎04-06-2024

Hi @JMPP,

Splunkweb and the sendemail command/action use different code to render CSV files. Fortunately, there's a sendemail option to enable/disable escaping newline characters in CSV attachments:

action.email.escapeCSVNewline

The default value is true.

Unfortunately, the setting isn't exposed through the Searches, reports, and alerts Advanced Edit page. Try adding the following setting directly to your alert's savedsearches.conf stanza in either $SPLUNK_HOME/etc/apps/<app>/local/savedsearches.conf for shared searches or $SPLUNK_HOME/etc/users/<user>/<app>/local/savedsearches.conf for private searches, e.g.:

# $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf

[My Groovy Alert]
# ...
action.email.escapeCSVNewline = false

If you're using Splunk Cloud, support can help you update the file, or you can package the alert in a custom app. The latter warrants a separate question.

View solution in original post

JMPP · ‎04-15-2024

@tscroggins,

Is the suggested configuration restricted to certain Splunk Versions?, because we have tried different options but we are not seeing the CSV formated as expected also the instances were restarted.

Thanks in advance, we have ran the reports simple as possible.
e.g.:
"index=os earliest=-5m |timechart span=1m values(host)"

Regards

tscroggins

Hi @JMPP,

I tested on Splunk Enterprise 9.2 with a slight correction:

action.email.escapeCSVNewline = 0

The attachment received did not encode newlines as \n.

tscroggins

As a quick follow-up, the setting is recognized by all currently supported versions of Splunk Enterprise and present at least as far back as Splunk Enterprise 8.1; however, it's not documented.

JMPP · ‎04-08-2024

Hi @tscroggins

Really appreciate your comments, I'm currently working with the changes You've suggested.

Thanks and Regards,

tscroggins · ‎04-06-2024

Hi @JMPP,

Splunkweb and the sendemail command/action use different code to render CSV files. Fortunately, there's a sendemail option to enable/disable escaping newline characters in CSV attachments:

action.email.escapeCSVNewline

The default value is true.

Unfortunately, the setting isn't exposed through the Searches, reports, and alerts Advanced Edit page. Try adding the following setting directly to your alert's savedsearches.conf stanza in either $SPLUNK_HOME/etc/apps/<app>/local/savedsearches.conf for shared searches or $SPLUNK_HOME/etc/users/<user>/<app>/local/savedsearches.conf for private searches, e.g.:

# $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf

[My Groovy Alert]
# ...
action.email.escapeCSVNewline = false

If you're using Splunk Cloud, support can help you update the file, or you can package the alert in a custom app. The latter warrants a separate question.

CSV file different format when downloaded from report generated.

CSV

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?