Hi All,
I'm having issues with ingesting my CSV files properly into Splunk and did not come across any current Q&A that could help my specific issue.
An example of a couple rows of data in my CSV are as follows with their respective header field at the top of the file,
Plugin ID
CVE
CVSS v2.0 Base Score
Risk
Host
Protocol
Port
Name
Synopsis
Description
Solution
See Also
Plugin Output
STIG Severity
CVSS v3.0 Base Score
CVSS v2.0 Temporal Score
CVSS v3.0 Temporal Score
Risk Factor
BID
XREF
MSKB
Plugin Publication Date
Plugin Modification Date
Metasploit
Core Impact
CANVAS
135860
None
host2.web.com
tcp
445
WMI Not Available
WMI queries could not be made against the remote host.
WMI (Windows Management Instrumentation) is not available on the remote host over DCOM. WMI queries are used to gather information about the remote host, such as its current state, network interface configuration, etc. Without this information Nessus may not be able to identify installed software or security vunerabilities that exist on the remote host.
n/a
https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page
Can't connect to the 'root\CIMV2' WMI namespace.
None
4/21/20
12/21/22
166602
None
host2.web.com
tcp
0
Asset Attribute: Fully Qualified Domain Name (FQDN)
Report Fully Qualified Domain Name (FQDN) for the remote host.
Report Fully Qualified Domain Name (FQDN) for the remote host.
n/a
The FQDN for the remote host has been determined to be: FQDN : host2.web.com Confidence : 100 Resolves : True Method : rDNS Lookup: IP Address Another possible FQDN was also detected:
None
10/27/22
10/27/22
For the second event's Plugin Output field, it keeps reading each new line as a new row. A lot of the rows contain similar data which is causing there to be far more logged events than there are rows in the CSV file.
How can I ensure these fields get parsed properly to keep each row within one event and each cell as it's own field? I have tried a handful of configurations and am currently working with the following,
props.conf
[csv]
INDEXED_EXTRACTIONS = csv
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
CHARSET = AUTO
KV_MODE = none
pulldown_type = true
[scan_reports]
REPORT-scan_reports = csv_fields
transforms.conf
[csv_fields]
DELIMS = ","
FIELDS = "Plugin ID", "CVE", CVSS v2.0 Base Score", "Risk", "Host", "Protocol", "Port", "Name", "Synposis", "Description", "Solution", "See Also", "Plugin Output", "STIG Severity", "CVSS v3.0 Base Score", "CVSS v2.0 Temporal Score", "CVSS v3.0 Temporal Score", "Risk Factor", "BID", "XREF", "MSKB", "Plugin Publication Date", "Plugin Modification Date", "Metasploit", "Core Impact", "CANVAS"
Any help will be greatly appreciated!
... View more