- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Other Usage
- :
- CSV file different format when downloaded from rep...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Everyone,
For some reason I'm getting different CSV format file when I downloaded vs from the report generated on scheduled report functionality.
- When I downloaded the file from the splunk search option I am getting some like:
{"timestamp: 2024-04-02T22:42:19.655Z
sequence: 735
blablaclasname: com.rr.jj.eee.rrr
anotherblablaclasnameName: com.rr.rr.rrrr.rrr
level: ERRROR
exceptionMessage: blablabc
....
}
- When I received by email the file using the same query I'm getting something like:
{"timestamp: 2024-04-02T22:42:19.655Z\nsequence: 735\nblablaclasname: com.rr.jj.eee.rrr\nanotherblablaclasnameName: com.rr.rr.rrrr.rrr\nlevel: ERRROR\n\nexceptionMessage: blablabc\n....}
*.conf file I am seeing:
LINE_BREAKER = \}(\,?[\r\n]+)\{?
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @JMPP,
Splunkweb and the sendemail command/action use different code to render CSV files. Fortunately, there's a sendemail option to enable/disable escaping newline characters in CSV attachments:
action.email.escapeCSVNewline
The default value is true.
Unfortunately, the setting isn't exposed through the Searches, reports, and alerts Advanced Edit page. Try adding the following setting directly to your alert's savedsearches.conf stanza in either $SPLUNK_HOME/etc/apps/<app>/local/savedsearches.conf for shared searches or $SPLUNK_HOME/etc/users/<user>/<app>/local/savedsearches.conf for private searches, e.g.:
# $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf
[My Groovy Alert]
# ...
action.email.escapeCSVNewline = falseIf you're using Splunk Cloud, support can help you update the file, or you can package the alert in a custom app. The latter warrants a separate question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the suggested configuration restricted to certain Splunk Versions?, because we have tried different options but we are not seeing the CSV formated as expected also the instances were restarted.
Thanks in advance, we have ran the reports simple as possible.
e.g.:
"index=os earliest=-5m |timechart span=1m values(host)"
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @JMPP,
I tested on Splunk Enterprise 9.2 with a slight correction:
action.email.escapeCSVNewline = 0The attachment received did not encode newlines as \n.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As a quick follow-up, the setting is recognized by all currently supported versions of Splunk Enterprise and present at least as far back as Splunk Enterprise 8.1; however, it's not documented.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @tscroggins,
Thanks for all your comments, I'm running with 8.2v and the 1st suggestion you made worked, but we didn't see the changes until the restart of the Search heads were made.
Now the CSV files are comming with the right format. One thing I noticed, If I clone an existing report with CSV format configuration, the new one will adopt that configuration too.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @tscroggins
Really appreciate your comments, I'm currently working with the changes You've suggested.
Thanks and Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @JMPP,
Splunkweb and the sendemail command/action use different code to render CSV files. Fortunately, there's a sendemail option to enable/disable escaping newline characters in CSV attachments:
action.email.escapeCSVNewline
The default value is true.
Unfortunately, the setting isn't exposed through the Searches, reports, and alerts Advanced Edit page. Try adding the following setting directly to your alert's savedsearches.conf stanza in either $SPLUNK_HOME/etc/apps/<app>/local/savedsearches.conf for shared searches or $SPLUNK_HOME/etc/users/<user>/<app>/local/savedsearches.conf for private searches, e.g.:
# $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf
[My Groovy Alert]
# ...
action.email.escapeCSVNewline = falseIf you're using Splunk Cloud, support can help you update the file, or you can package the alert in a custom app. The latter warrants a separate question.
Access Tokens Page - New & Improved
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
