One of the log files being monitored by Splunk is a bz2 file. It is being read by the UF on the server. The local/props.conf in the add-on to process the events looks like this:
[mvm:csv]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = mvm_assets_last_found_date_time
TRUNCATE = 999999
TZ = UTC
When I examine the events I see the following:
"Rising_Column","mvm_resultcode","mvm_assetid","mvm_hostid","vulnstartdate","vulnenddate","dest_ip","xref","cve","signature","mvm_description","mvm_observation","mvm_recommendation","mvm_addeddate","mvm_patch_type","vendor_product","os_app","mvm_basescorevalue","mvm_baseexploitvalue","mvm_baseimpactvalue","mvm_site_id","mvm_scantype","mvm_dmzhost","mvm_devicetype","mvm_dc_host","mvm_mit_patch","mvm_osname","mvm_nbname","mvm_dnsname","mvm_macaddress","mvm_patch_status","mvm_region","mvm_assets_last_found_date_time"
And there is a blank line. When I unzipped the BZ2 file the blank line is a control-Z. I haven't figured out how to remove the header and the line with the control-Z on it. Any ideas?
TIA,
Joe
↧