Re: ES Security App: Multi-line header is missing ...

neelamsantosh · ‎04-06-2016

I have recurring warnings in splunkd logs with
multi-line header is missing matching quotation, or could not parse CSV header
Though i have replaced the headers with default value of .csv file.

jwelch_splunk · ‎04-19-2016

This is a bug with outputlookup. When no results are found it overwrites the csv with nothing, which in turns overwrites the header of the csv. This is being addressed.

To eliminate this spam

cd /opt/splunk/etc/
create a file called log-local.cfg
add this line:
category.SearchResults=ERROR

I would restart splunk to be safe, but this will eliminate those Spam messages.

dshpritz · ‎04-18-2016

This is a bug in ES/Core where the lookup searches/scripts that output the various threat intel lookups do not output headers if there are no results for the lookup in question. The other option is that these messages should only occur at DEBUG, not WARN. I believe it is listed as SPL-114701.

Edit: Some additional info. You can replace the empty versions of these files with their .default counterparts, but be aware that there is a good chance that they will be replaced with empty versions again on the next run.

woodcock · ‎04-06-2016

Do this:

https://answers.splunk.com/answers/306569/corrupt-csv-header-how-to-find-the-corrupted-csv.html#answ...

neelamsantosh · ‎04-18-2016

Thanks Woodcock,
That didn't help me.

ES Security App: Multi-line header is missing matching quotation, or could not parse CSV header

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team