Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forcepoint Web Security add-on avoid csv header extraction

SplunkExplorer
Contributor
‎07-17-2023 06:25 AM

Hi Splunkers, in our environment we onboarded Forcepoint Cloud logs following this guide. 
In a nuthsell, we have to use a script that regularly pulls data from cloud and place them on a HF, as .csv files; then, info are sent to Splunk Cloud.

We got the following problem: logs are always of 2 types, the correct one and the "empty one":

SplunkExplorer_0-1689599938893.png

As you can see, we have only the field labels, not values. Working with support, we discovered that a possible root case is in the add-on, that sometimes extract the .csv header and manage it like data. So, if we want to solve the problem and avoid to change the script, we could fix the problem going in props.conf of add-on used to parse, which is Splunk Add-on for Forcepoint Web Security , perform a change and take the correct logs.

So, the question is: if I have to tell in a props.conf "Hey, don't extract the .csv headers", which syntax I have to use?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

m_pham
Splunk Employee
Splunk Employee
‎07-21-2023 03:19 AM

Hi there, if the add-on you're using is just ingesting a the CSV file itself, then you can use the following configuration below to tell Splunk about the header fields so it doesn't ingest them.

 

[my_sourcetype]
# Specifies the line number of the line within the file that contains the header fields. If set to 0, Splunk attempts to locate the header fields within the file automatically.
HEADER_FIELD_LINE_NUMBER = 0
# Specifies which character delimits or separates field names in the header line. You can specify special characters in this attribute. If HEADER_FIELD_DELIMITER is not specified, FIELD_DELIMITER applies to the header line.
HEADER_FIELD_DELIMITER = ,


More details on ingesting structured data can be found here: 

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/Data/Extractfieldsfromfileswithstructured...

View solution in original post

Reply
Solved! Jump to solution
Solution

m_pham
Splunk Employee
Splunk Employee
‎07-21-2023 03:19 AM

Hi there, if the add-on you're using is just ingesting a the CSV file itself, then you can use the following configuration below to tell Splunk about the header fields so it doesn't ingest them.

 

[my_sourcetype]
# Specifies the line number of the line within the file that contains the header fields. If set to 0, Splunk attempts to locate the header fields within the file automatically.
HEADER_FIELD_LINE_NUMBER = 0
# Specifies which character delimits or separates field names in the header line. You can specify special characters in this attribute. If HEADER_FIELD_DELIMITER is not specified, FIELD_DELIMITER applies to the header line.
HEADER_FIELD_DELIMITER = ,


More details on ingesting structured data can be found here: 

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/Data/Extractfieldsfromfileswithstructured...

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...