I see. So that would mean creating a new scheduled search sanitizing the CSV file after it has been created. That would also mean making sure this runs between the daily update of the file and the next scheduled use of said file. I will have a look at this and let you know what ended up working best. EDIT : I created a new Scheduled search with the suggested inputlookup/eval/outpulookup chain. The time of edition of the CSV file is not fixed (API response time can vary), so the search was scheduled to run every 2min in the 10min window when the CSV update usually happens. ... View more

Our search looks like this : | tstats summariesonly=true values(Web.user) values(Web.src) c from datamodel=Web by Web.url Web.user | rename values(*) as * | rename Web.* as * | lookup csv_url url OUTPUT hashkey as hk | where isnotnull(hk) and it is the "lookup" part that fails. With your suggestion of surrogating the character, would it be something that you do inside this saved search, or somewhere else, and how? The NULL characters are located in the "url" field, so replacing them with "%00" would be fine. ... View more

Another addon is actually generating the CSV file from API calls. I checked the original source, which does contain \x00. After checking with the authors of said API, those null bytes are expected and can be present at the end or in the middle of the string. To indirectly cite/translate what they said, their source of data is supposed to already be cleaned, then they can pass the data onto the API and then to the CSV builder inside their Splunk Addon. The addon then writes the CSV file from its python code. Editing the python code could be possible, but it would also mean that whenever the addon gets updated, the modification would get lost and the issue would come back.   Regarding the KV-store option, the file is ~30MB, updated twice a day. It is used every 5min in a scheduled search. However, the addon does not give us the possibility of outputing its data as KV Store. ... View more