Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Any advice on how to resolve multiple CSV header issues?

andrew_burnett
Path Finder
‎04-14-2023 09:43 AM

We are getting multiple errors like this

Corrupt csv header in CSV file , 2 columns with the same name

However we have so many CSV files that finding them will be all but impossible.

 

Can someone provide advice on how to find them? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-14-2023 12:25 PM

Assuming that your OS is unix/linux, assuming that your CSV files use standard filenaming conventions (i.e. *.csv), assuming that your CSV files are standard with a header on the first line, assuming that the source files still exist, you can use the following CLI commands to identify problematic files:

find ${SPLUNK_HOME}/etc/apps/*/lookups -name *.csv -exec head -1 {} \; | tr ',' '\n' | sort| uniq -d

This will tell you the duplicated field, e.g. "foo".  Then take that and do this to find the file (or a small pile to peek through):

for FILE in $(find ${SPLUNK_HOME}/lookups -name *.csv -exec grep -il foo {} \;); do echo ${FILE}; head -1 ${FILE} | tr ',' '\n' | sort | uniq -d; done

Here are some other tips:

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-14-2023 12:25 PM

Assuming that your OS is unix/linux, assuming that your CSV files use standard filenaming conventions (i.e. *.csv), assuming that your CSV files are standard with a header on the first line, assuming that the source files still exist, you can use the following CLI commands to identify problematic files:

find ${SPLUNK_HOME}/etc/apps/*/lookups -name *.csv -exec head -1 {} \; | tr ',' '\n' | sort| uniq -d

This will tell you the duplicated field, e.g. "foo".  Then take that and do this to find the file (or a small pile to peek through):

for FILE in $(find ${SPLUNK_HOME}/lookups -name *.csv -exec grep -il foo {} \;); do echo ${FILE}; head -1 ${FILE} | tr ',' '\n' | sort | uniq -d; done

Here are some other tips:

Reply
Solved! Jump to solution

andrew_burnett
Path Finder
‎04-14-2023 12:29 PM

So the first one command, every word it brings back is a duplicated one?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-14-2023 12:31 PM

Exactly.

0 Karma
Reply
Solved! Jump to solution

andrew_burnett
Path Finder
‎04-14-2023 12:35 PM

Well see we are trying to find specific keywords, so I know like one I'm trying to test. When I run your second command, it pulls in a ton of CSV files. Checking one, and the word isn't in the CSV header at all?

0 Karma
Reply
Solved! Jump to solution

andrew_burnett
Path Finder
‎04-14-2023 12:36 PM

Oh I see it now, the word is in the CSV file itself. But I'm only concerned with the headers, is that not what the alert means?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-14-2023 12:47 PM

Yes.  I updated my answer to help better.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...