Splunk Cloud Platform

Forcepoint Web Security add-on avoid csv header extraction

SplunkExplorer
Contributor

Hi Splunkers, in our environment we onboarded Forcepoint Cloud logs following this guide. 
In a nuthsell, we have to use a script that regularly pulls data from cloud and place them on a HF, as .csv files; then, info are sent to Splunk Cloud.

We got the following problem: logs are always of 2 types, the correct one and the "empty one":

SplunkExplorer_0-1689599938893.png

As you can see, we have only the field labels, not values. Working with support, we discovered that a possible root case is in the add-on, that sometimes extract the .csv header and manage it like data. So, if we want to solve the problem and avoid to change the script, we could fix the problem going in props.conf of add-on used to parse, which is Splunk Add-on for Forcepoint Web Security , perform a change and take the correct logs.

So, the question is: if I have to tell in a props.conf "Hey, don't extract the .csv headers", which syntax I have to use?

Labels (1)
0 Karma
1 Solution

m_pham
Splunk Employee
Splunk Employee

Hi there, if the add-on you're using is just ingesting a the CSV file itself, then you can use the following configuration below to tell Splunk about the header fields so it doesn't ingest them.

 

[my_sourcetype]
# Specifies the line number of the line within the file that contains the header fields. If set to 0, Splunk attempts to locate the header fields within the file automatically.
HEADER_FIELD_LINE_NUMBER = 0
# Specifies which character delimits or separates field names in the header line. You can specify special characters in this attribute. If HEADER_FIELD_DELIMITER is not specified, FIELD_DELIMITER applies to the header line.
HEADER_FIELD_DELIMITER = ,


More details on ingesting structured data can be found here: 

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/Data/Extractfieldsfromfileswithstructured...

View solution in original post

m_pham
Splunk Employee
Splunk Employee

Hi there, if the add-on you're using is just ingesting a the CSV file itself, then you can use the following configuration below to tell Splunk about the header fields so it doesn't ingest them.

 

[my_sourcetype]
# Specifies the line number of the line within the file that contains the header fields. If set to 0, Splunk attempts to locate the header fields within the file automatically.
HEADER_FIELD_LINE_NUMBER = 0
# Specifies which character delimits or separates field names in the header line. You can specify special characters in this attribute. If HEADER_FIELD_DELIMITER is not specified, FIELD_DELIMITER applies to the header line.
HEADER_FIELD_DELIMITER = ,


More details on ingesting structured data can be found here: 

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/Data/Extractfieldsfromfileswithstructured...

Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...