New Member.
581 views

CSV report - Arcsight doesn't generate a valid CSV report!

Hi all,

I've problem to generate a goode CSV from ArcSight. Indeed it seems that ArcSight doesn't pay any attention to carriage return in a Field and on commas!

Indeed, ArcSight Accept usage of Carriage return in a Field, it result that when you try to parse your CSV, the line is truncated as we have a Carriage return before the end of the line!

Another thing, some field can contain Comma (,) and in that way too, ArCsight doesn't use Comma escape mecanism!

This is very ennoying.

I tried ti use velocity template in my query to remove replace Carriage return by space and commas by another seperator, but Velocity Template are not authorized in Queries...

Doyou have any suggestion?

regards

Labels (3)
Tags (4)
0 Likes
Reply
5 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: CSV report - Arcsight doesn't generate a valid CSV report!

You can modify the sree.properties ($ARCSIGHT_HOME/manager/reports) file to control this behavior.  In your case you probably want to set the following:

export.csv.quote="

You can also change the delimiter:

export.csv.delimiter=|

This does not appear to require a service restart.

ref: Miscellaneous Report Properties

0 Likes
Reply
Highlighted
New Member.

Re: CSV report - Arcsight doesn't generate a valid CSV report!

Thanks Richard!

I was not aware about this properties 🙂

However, it doesn't solve my problem. Indeed, generated CSV is not correct because of carriage return in reported ArcSight Field.

For example in DeviceCustomString4 I've this value:

Position 1:User:CD12543

Attempt validation

ticket 32654212445633///455211Banking

This should be in one line, remplacing \n (carriage return) by Space

But Can't find a way to do that.

I report on Value from my trend.

0 Likes
Reply
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: CSV report - Arcsight doesn't generate a valid CSV report!

I'd be somewhat inclined to remove carriage returns at the connector level.  If this is a flex connector then you obviously have the access to do this.  If it's a smart connector, you could use a map file and an expression based setter with

set.expr(deviceCustomString4).event.deviceCustomString4
__replaceAll(deviceCustomString4,"\n", " ")
0 Likes
Reply
Highlighted
New Member.

Re: CSV report - Arcsight doesn't generate a valid CSV report!

Yes, I though about that solution.

However it's difficult as I can't touch to the production (we are very segregated), this is why I need to find a solution with the console 😕

0 Likes
Reply
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: CSV report - Arcsight doesn't generate a valid CSV report!

It's a bit of a hack and there's an overhead involved but you could use a pre-persistence rule to do what I suggested with the map file to clean up new events coming in.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.