Re: How to properly parse a CSV file with embedded...

jhuysing · ‎12-14-2015

The field ends with a protected quote followed by another quote

Ex:

 "field1",field2", "field3-sdasds\"textdata blah blah\"", "field4-#$%232",

The embedded quotes are protected, but when the files are processed, it doesn't split the fields correctly and field 3 and 4 end up together.

I have experimented with adding a space between the protected quote and field terminating quote and it seems to work.

field1",field2", "field3-sdasds\"textdata blah blah\" ", "field4-#$%232"

Is there someway to do this automatically before the files are indexed?

jhuysing · ‎12-14-2015

field3 should look like this "field3-sdasds\"textdata blah blah\"", "field4-#$%232"

jhuysing · ‎12-14-2015

try this again

field3 should look like this "field3-sdasds\"textdata blah blah\"", "field4-#$%232"

jhuysing · ‎12-14-2015

ok how do enter backslashes here so they don't get absorbed

ppablo · ‎12-14-2015

Hi @jhuysing

To get backslashes to render properly, you have to wrap your line of text in back ticks like this so lines like \backslash\backslash\ \ \ will show up as expected. If you're every sharing a .conf stanza, it's best to highlight the entire block and click on the "Code Sample" button in the text editing tools above the text box, especially when showing anything with regular expressions. For example:

[stanza]
REGEX = *\<&>\*

andrew207 · ‎12-14-2015

You're gonna have to escape the rogue quote.
field1",field2", "field3-sdasds"textdata blah blah\" ", "field4-#$%232"
Any quote that's supposed to be ingested as data rather than a delimiter should be escaped by whatever software is constructing the logs.

How to properly parse a CSV file with embedded double quotes on the end of a field before the file is indexed?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?