All Apps and Add-ons

Citrix Netscaler with Appflow: "/lookups/appid_lookup.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header"?

euroa
Engager

We have Splunk Cloud in our environment and we installed the Citrix Netscaler with Appflow app. The app seems to be working ok, but we are seeing errors regarding the following:

+0000 WARN  SearchResults - /opt/splunk/etc/apps/SplunkforCitrixNetScaler/lookups/appid_lookup.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header

I do have this file listed under lookups and lookup definitions and currently it has global permissions, however, the error above is shown. The app is present on the search heads and heavy forwarder (forwarder receiving events). I created a lookup folder on the TA app on the heavy forwarder and added the file there from the SplunkforCitrixNetscaler app folder. The issue still persists. Any idea what can be wrong?

0 Karma

jconger
Splunk Employee
Splunk Employee

That file is empty by default and relies on a saved search to populate it. Try running the "AppFlow Outputlookup AppID" saved search to populate the file or to see if the search produces any errors.

0 Karma

euroa
Engager

Thanks for the reply. I attempted running it and didnt see any events populate so I ran it manually
"eventtype="netscaler_appflow" appName | stats values(appName) AS "appName" by appID | outputlookup appid_lookup.csv"

and still no events are seen. I also ran it as just "eventtype="netscaler_appflow" appName" and also didnt receive events. Could it be that the Netscaler isnt sending appName data?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...