Splunk Cloud Platform
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Forcepoint Web Security add-on avoid csv header extraction

SplunkExplorer
Contributor
‎07-17-2023 06:25 AM

Hi Splunkers, in our environment we onboarded Forcepoint Cloud logs following this guide. 
In a nuthsell, we have to use a script that regularly pulls data from cloud and place them on a HF, as .csv files; then, info are sent to Splunk Cloud.

We got the following problem: logs are always of 2 types, the correct one and the "empty one":

SplunkExplorer_0-1689599938893.png

As you can see, we have only the field labels, not values. Working with support, we discovered that a possible root case is in the add-on, that sometimes extract the .csv header and manage it like data. So, if we want to solve the problem and avoid to change the script, we could fix the problem going in props.conf of add-on used to parse, which is Splunk Add-on for Forcepoint Web Security , perform a change and take the correct logs.

So, the question is: if I have to tell in a props.conf "Hey, don't extract the .csv headers", which syntax I have to use?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

m_pham
Splunk Employee
Splunk Employee
‎07-21-2023 03:19 AM

Hi there, if the add-on you're using is just ingesting a the CSV file itself, then you can use the following configuration below to tell Splunk about the header fields so it doesn't ingest them.

 

[my_sourcetype]
# Specifies the line number of the line within the file that contains the header fields. If set to 0, Splunk attempts to locate the header fields within the file automatically.
HEADER_FIELD_LINE_NUMBER = 0
# Specifies which character delimits or separates field names in the header line. You can specify special characters in this attribute. If HEADER_FIELD_DELIMITER is not specified, FIELD_DELIMITER applies to the header line.
HEADER_FIELD_DELIMITER = ,


More details on ingesting structured data can be found here: 

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/Data/Extractfieldsfromfileswithstructured...

View solution in original post

Reply
Solved! Jump to solution
Solution

m_pham
Splunk Employee
Splunk Employee
‎07-21-2023 03:19 AM

Hi there, if the add-on you're using is just ingesting a the CSV file itself, then you can use the following configuration below to tell Splunk about the header fields so it doesn't ingest them.

 

[my_sourcetype]
# Specifies the line number of the line within the file that contains the header fields. If set to 0, Splunk attempts to locate the header fields within the file automatically.
HEADER_FIELD_LINE_NUMBER = 0
# Specifies which character delimits or separates field names in the header line. You can specify special characters in this attribute. If HEADER_FIELD_DELIMITER is not specified, FIELD_DELIMITER applies to the header line.
HEADER_FIELD_DELIMITER = ,


More details on ingesting structured data can be found here: 

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/Data/Extractfieldsfromfileswithstructured...

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...