Other Usage

CSV file different format when downloaded from report generated.

JMPP
Explorer

Hi Everyone, 


For some reason I'm getting  different CSV format file when I downloaded vs from the report generated on scheduled report functionality.

- When I downloaded the file from the splunk search option I am getting some like:

{"timestamp: 2024-04-02T22:42:19.655Z
sequence: 735
blablaclasname: com.rr.jj.eee.rrr
anotherblablaclasnameName: com.rr.rr.rrrr.rrr
level: ERRROR

exceptionMessage: blablabc
....
}

- When I received by email the file using the same query I'm getting something like:
{"timestamp: 2024-04-02T22:42:19.655Z\nsequence: 735\nblablaclasname: com.rr.jj.eee.rrr\nanotherblablaclasnameName: com.rr.rr.rrrr.rrr\nlevel: ERRROR\n\nexceptionMessage: blablabc\n....}

*.conf file I am seeing:
LINE_BREAKER = \}(\,?[\r\n]+)\{?


Regards

 

Labels (1)
0 Karma
1 Solution

tscroggins
Influencer

Hi @JMPP,

Splunkweb and the sendemail command/action use different code to render CSV files. Fortunately, there's a sendemail option to enable/disable escaping newline characters in CSV attachments:

action.email.escapeCSVNewline

The default value is true.

Unfortunately, the setting isn't exposed through the Searches, reports, and alerts Advanced Edit page. Try adding the following setting directly to your alert's savedsearches.conf stanza in either $SPLUNK_HOME/etc/apps/<app>/local/savedsearches.conf for shared searches or $SPLUNK_HOME/etc/users/<user>/<app>/local/savedsearches.conf for private searches, e.g.:

# $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf

[My Groovy Alert]
# ...
action.email.escapeCSVNewline = false

If you're using Splunk Cloud, support can help you update the file, or you can package the alert in a custom app. The latter warrants a separate question.

View solution in original post

JMPP
Explorer

@tscroggins,

Is the suggested configuration restricted to certain Splunk Versions?, because we have tried different options but we are not seeing the CSV formated as expected also the instances were restarted.

 

Thanks in advance, we have ran the reports simple as possible.
e.g.:
"index=os earliest=-5m |timechart span=1m values(host)"



Regards

0 Karma

tscroggins
Influencer

Hi @JMPP,

I tested on Splunk Enterprise 9.2 with a slight correction:

action.email.escapeCSVNewline = 0

The attachment received did not encode newlines as \n.

0 Karma

tscroggins
Influencer

As a quick follow-up, the setting is recognized by all currently supported versions of Splunk Enterprise and present at least as far back as Splunk Enterprise 8.1; however, it's not documented.

0 Karma

JMPP
Explorer

Hi @tscroggins,

Thanks for all your comments, I'm running with 8.2v and the 1st suggestion you made worked, but we didn't see the changes until the restart of the Search heads were made. 

Now the CSV files are comming with the right format. One thing I noticed, If I clone an existing report with CSV format configuration, the new one will adopt that configuration too.

Thanks

JMPP
Explorer

Hi @tscroggins 

Really appreciate your comments, I'm currently working with the changes You've suggested. 

Thanks and Regards,

0 Karma

tscroggins
Influencer

Hi @JMPP,

Splunkweb and the sendemail command/action use different code to render CSV files. Fortunately, there's a sendemail option to enable/disable escaping newline characters in CSV attachments:

action.email.escapeCSVNewline

The default value is true.

Unfortunately, the setting isn't exposed through the Searches, reports, and alerts Advanced Edit page. Try adding the following setting directly to your alert's savedsearches.conf stanza in either $SPLUNK_HOME/etc/apps/<app>/local/savedsearches.conf for shared searches or $SPLUNK_HOME/etc/users/<user>/<app>/local/savedsearches.conf for private searches, e.g.:

# $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf

[My Groovy Alert]
# ...
action.email.escapeCSVNewline = false

If you're using Splunk Cloud, support can help you update the file, or you can package the alert in a custom app. The latter warrants a separate question.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...