Quantcast
Channel: Questions in topic: "universal-forwarder"
Viewing all articles
Browse latest Browse all 1551

Why am I seeing these extra fields when I log a BZ2 file?

$
0
0
One of the log files being monitored by Splunk is a bz2 file. It is being read by the UF on the server. The local/props.conf in the add-on to process the events looks like this: [mvm:csv] DATETIME_CONFIG = INDEXED_EXTRACTIONS = csv KV_MODE = none NO_BINARY_CHECK = true SHOULD_LINEMERGE = false TIMESTAMP_FIELDS = mvm_assets_last_found_date_time TRUNCATE = 999999 TZ = UTC When I examine the events I see the following: "Rising_Column","mvm_resultcode","mvm_assetid","mvm_hostid","vulnstartdate","vulnenddate","dest_ip","xref","cve","signature","mvm_description","mvm_observation","mvm_recommendation","mvm_addeddate","mvm_patch_type","vendor_product","os_app","mvm_basescorevalue","mvm_baseexploitvalue","mvm_baseimpactvalue","mvm_site_id","mvm_scantype","mvm_dmzhost","mvm_devicetype","mvm_dc_host","mvm_mit_patch","mvm_osname","mvm_nbname","mvm_dnsname","mvm_macaddress","mvm_patch_status","mvm_region","mvm_assets_last_found_date_time" And there is a blank line. When I unzipped the BZ2 file the blank line is a control-Z. I haven't figured out how to remove the header and the line with the control-Z on it. Any ideas? TIA, Joe

Viewing all articles
Browse latest Browse all 1551

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>