Re: Quoting values and CSV export

benton · ‎07-15-2021

If I run this search I generate two numeric fields, one called number the other called decimal

| makeresults 1
| eval number = 7
| eval decimal = 7.0

When I choose to export this data as CSV there are quotes around decimal but not around number. Is it possible to ensure that neither field has quotes when the CSV is downloaded?

benton · ‎07-15-2021

Thank you for the reference! I hadn't seen that post yet, but it's not working as expected, or I'm misunderstanding that post, or maybe it's because my problem is with using the Splunk web UI to export the CSV to my local computer. My search doesn't involve the outputcsv command. In any case, the behavior is consistent, if the number contains a decimal then it is quoted. If it doesn't contain a decimal it is not quoted. I think this is related to the UI download behavior itself and maybe I can't overcome it via a change to the search.

| makeresults 1
| eval number = 7
| eval decimal = 7.0
| eval never_quotes = trim(decimal, "\"")

You'll notice that never_quotes still contains quotes.

efika · ‎07-15-2021

This seems to be how CSV is working. Note that the header says that it is recognized as a decimal number.
What you are trying to do with the exported CSV ?

benton · ‎07-15-2021

A user clicks the export button from a dashboard and then that file is manually fed into an application that runs on the local computer. Except that application is expecting that all numbers will not be quoted. As a work-around the users are currently exporting the file from Splunk, opening it in Excel, and then closing/saving as CSV. Excel seems to automatically resolve the issue during the save by removing all the quotes from numeric fields. The actual file also includes text columns with spaces that require quotes. It seems like Excel automatically and correctly maintains the quotes when needed and removes them when not needed.

efika · ‎07-15-2021

So it seems that the other application is pointed to the var\run\splunk\csv to read the exported files ?

One option to tackle your situation is to point the importing application to a different folder and use a cron/scheduled task to read the splunk CSV files, SED the unneeded quotes and write the files to this new folder.

benton · ‎07-15-2021

@efika wrote:
So it seems that the other application is pointed to the var\run\splunk\csv to read the exported files ?
One option to tackle your situation is to point the importing application to a different folder and use a cron/scheduled task to read the splunk CSV files, SED the unneeded quotes and write the files to this new folder.

The other application runs locally (as does Excel) and we do not allow these local computers to have access to the Splunk server directly.

efika · ‎07-15-2021

You can still run the scheduling task on the splunk server itself and let it copy to the other machines so you continue to adhere to the described design.

efika · ‎07-15-2021

see @MuS answer here :

https://community.splunk.com/t5/Splunk-Search/When-does-splunk-add-double-quotation-in-outputcsv/td-...

Quoting values and CSV export

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?