NxLog parsing issues with CSV | Log collection solutions

#1 Deleted user 5 years ago

Hello,

I have a CSV column that has returns in it. If I try to run NxLog, it errors out saying it expected 16 columns and got 0 (for the blank lines), got 1 (when there was one entry), etc.

The configuration I have works if I open up the CSV in excel or something and replace the returns with a ; instead.

I was wondering if there was a way to do that with NxLog. Maybe something like

Exec $Message = replace($column11, "\r\n", ";");

but i cannot seem to get NxLog to run correctly because it's spitting out the errors stated above.

Any help would be great.

Thanks

Permalink

#2 Deleted user 5 years ago

#1 Deleted user

Hello, I have a CSV column that has returns in it. If I try to run NxLog, it errors out saying it expected 16 columns and got 0 (for the blank lines), got 1 (when there was one entry), etc. The configuration I have works if I open up the CSV in excel or something and replace the returns with a ; instead. I was wondering if there was a way to do that with NxLog. Maybe something like Exec $Message = replace($column11, "\r\n", ";"); but i cannot seem to get NxLog to run correctly because it's spitting out the errors stated above. Any help would be great. Thanks

It looks like this in a text file.

EventID	MachineName	Data	Index	Category	CategoryNumber	EntryType	Message	Source	ReplacementStrings	InstanceId	TimeGenerated	TimeWritten	UserName

    538	tst-srv	System.Byte[]	66036704	Logon/Logoff	2	SuccessAudit	**User Logoff:
    
    	User Name:	tst-srv$
    
    	Domain:		tst.com
    
    	Logon ID:		(0x2,0x507D04B9)
    
    	Logon Type:	3**
    	Security	System.String[]	538	8/7/2018 19:17	8/7/2018 19:17	NT AUTHORITY\SYSTEM

But when you open it in Excel, all the paragraph data within the ** is under the Message Column. In text, it's in quotes. I just switched to ** to pick out a little easier.

I hope this helps