Avoid unintentional execution of fields within CSV files in third party applications
When you run a search on the Splunk platform, you can export those results as a comma separated values (CSV) file. If you then later open this file in an application like Microsoft Excel or Apache OpenOffice, any fields that are in the CSV file can execute within those applications.
Take the following example:
- On the Splunk platform, you run the following search:
stats count | eval trick ="=1+1"
- You export the results as a CSV file.
- You then open the file in Microsoft Excel.
- Because the CSV file has a field "=1+1", Excel calculates that field and gets the result of
2
.
To avoid this problem, you can do one of the following:
- Edit the CSV file using a text editor before you import the file into Excel or OpenOffice. For any field in the file that begins with the following characters, add a space to the beginning of and remove any tab characters (0x09) within the field:
- =
- -
- "
- @
- +
- Append any field that starts with the previously listed characters with an apostrophe (').
- On the Splunk platform, confirm that users do not hold a role that has the "export_results_is_visible" capability. This capability displays the "Export results" button in the search results window. You cannot generate CSV files at all if you do not hold a role that has this capability.
Troubleshoot Splunk forwarder TCP tokens | Define roles on the Splunk platform with capabilities |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!