Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Any advice on how to resolve multiple CSV header issues?

andrew_burnett
Path Finder
‎04-14-2023 09:43 AM

We are getting multiple errors like this

Corrupt csv header in CSV file , 2 columns with the same name

However we have so many CSV files that finding them will be all but impossible.

 

Can someone provide advice on how to find them? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-14-2023 12:25 PM

Assuming that your OS is unix/linux, assuming that your CSV files use standard filenaming conventions (i.e. *.csv), assuming that your CSV files are standard with a header on the first line, assuming that the source files still exist, you can use the following CLI commands to identify problematic files:

find ${SPLUNK_HOME}/etc/apps/*/lookups -name *.csv -exec head -1 {} \; | tr ',' '\n' | sort| uniq -d

This will tell you the duplicated field, e.g. "foo".  Then take that and do this to find the file (or a small pile to peek through):

for FILE in $(find ${SPLUNK_HOME}/lookups -name *.csv -exec grep -il foo {} \;); do echo ${FILE}; head -1 ${FILE} | tr ',' '\n' | sort | uniq -d; done

Here are some other tips:

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-14-2023 12:25 PM

Assuming that your OS is unix/linux, assuming that your CSV files use standard filenaming conventions (i.e. *.csv), assuming that your CSV files are standard with a header on the first line, assuming that the source files still exist, you can use the following CLI commands to identify problematic files:

find ${SPLUNK_HOME}/etc/apps/*/lookups -name *.csv -exec head -1 {} \; | tr ',' '\n' | sort| uniq -d

This will tell you the duplicated field, e.g. "foo".  Then take that and do this to find the file (or a small pile to peek through):

for FILE in $(find ${SPLUNK_HOME}/lookups -name *.csv -exec grep -il foo {} \;); do echo ${FILE}; head -1 ${FILE} | tr ',' '\n' | sort | uniq -d; done

Here are some other tips:

Reply
Solved! Jump to solution

andrew_burnett
Path Finder
‎04-14-2023 12:29 PM

So the first one command, every word it brings back is a duplicated one?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-14-2023 12:31 PM

Exactly.

0 Karma
Reply
Solved! Jump to solution

andrew_burnett
Path Finder
‎04-14-2023 12:35 PM

Well see we are trying to find specific keywords, so I know like one I'm trying to test. When I run your second command, it pulls in a ton of CSV files. Checking one, and the word isn't in the CSV header at all?

0 Karma
Reply
Solved! Jump to solution

andrew_burnett
Path Finder
‎04-14-2023 12:36 PM

Oh I see it now, the word is in the CSV file itself. But I'm only concerned with the headers, is that not what the alert means?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-14-2023 12:47 PM

Yes.  I updated my answer to help better.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...