Reporting

outputcsv not putting all results in quotes

mundus
Path Finder

I have a fairly complicated set of searches to create reports for Nessus vulnerability data. One thing I notice is that when I output the results to csv using outputcsv, not all of the columns are ending up in quotes. This is what the header row looks like:

hostname,domainname,"dest_ip","service_name",protocol,"dest_port","result_type",risk,score,"nessus_plugin_name","cve_id","nessus_id","access_vector","access_complexity",authentication,"availability_impact","confidentiality_impact","integrity_impact","nessus_solution"

The problem is that I can't import the data into Excel because some of the fields that aren't in quotes have commas in them. As far as how those fields were generated:

hostname and domainname were created from a lookup table that took the output of the Nessus plugin for resolving host names and extracting the hostname and domainname from the FQDN.

The protocol and port fields are extracted using rex at search time, but for some reason protocol isn't in quotes and port is.

Risk is extracted from the Nessus plugin files using props/transforms.conf.

The score field is assigned to the search result using a lookup table.

So, we've got several different fields that are created using several different methods, but only some of them are missing quotes.

How do I go about troubleshooting this?

Thx.

Craig

Tags (1)

lukejadamec
Super Champion

All of the quoted fields have underscores, which are often created by splunk because it converts spaces to underscores. If you change your output to AS something without a space or underscore the quotes might go away.

Excel will import the example given as csv, but some fields will have quotes.

0 Karma

jeffreygaraygay
Explorer

Craig, did you ever got a resolution to your issue? My issue is similar but it is the opposite; I would like to know if Splunk can strip off the quotes thru some command or some parameters of outputcsv because the system the i am sending the output csv file does not like qoutes

Thanks,
Jeff

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...