Splunk Cloud Platform

Forcepoint Web Security add-on avoid csv header extraction

SplunkExplorer
Contributor

Hi Splunkers, in our environment we onboarded Forcepoint Cloud logs following this guide. 
In a nuthsell, we have to use a script that regularly pulls data from cloud and place them on a HF, as .csv files; then, info are sent to Splunk Cloud.

We got the following problem: logs are always of 2 types, the correct one and the "empty one":

SplunkExplorer_0-1689599938893.png

As you can see, we have only the field labels, not values. Working with support, we discovered that a possible root case is in the add-on, that sometimes extract the .csv header and manage it like data. So, if we want to solve the problem and avoid to change the script, we could fix the problem going in props.conf of add-on used to parse, which is Splunk Add-on for Forcepoint Web Security , perform a change and take the correct logs.

So, the question is: if I have to tell in a props.conf "Hey, don't extract the .csv headers", which syntax I have to use?

Labels (1)
0 Karma
1 Solution

m_pham
Splunk Employee
Splunk Employee

Hi there, if the add-on you're using is just ingesting a the CSV file itself, then you can use the following configuration below to tell Splunk about the header fields so it doesn't ingest them.

 

[my_sourcetype]
# Specifies the line number of the line within the file that contains the header fields. If set to 0, Splunk attempts to locate the header fields within the file automatically.
HEADER_FIELD_LINE_NUMBER = 0
# Specifies which character delimits or separates field names in the header line. You can specify special characters in this attribute. If HEADER_FIELD_DELIMITER is not specified, FIELD_DELIMITER applies to the header line.
HEADER_FIELD_DELIMITER = ,


More details on ingesting structured data can be found here: 

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/Data/Extractfieldsfromfileswithstructured...

View solution in original post

m_pham
Splunk Employee
Splunk Employee

Hi there, if the add-on you're using is just ingesting a the CSV file itself, then you can use the following configuration below to tell Splunk about the header fields so it doesn't ingest them.

 

[my_sourcetype]
# Specifies the line number of the line within the file that contains the header fields. If set to 0, Splunk attempts to locate the header fields within the file automatically.
HEADER_FIELD_LINE_NUMBER = 0
# Specifies which character delimits or separates field names in the header line. You can specify special characters in this attribute. If HEADER_FIELD_DELIMITER is not specified, FIELD_DELIMITER applies to the header line.
HEADER_FIELD_DELIMITER = ,


More details on ingesting structured data can be found here: 

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/Data/Extractfieldsfromfileswithstructured...

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...