https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200910#M39698 <P>IGNORE: Also, add <CODE>HEADER_MODE = firstline</CODE> to treat first line as header (will not get ingested).</P> Mon, 19 Sep 2016 18:22:06 GMT somesoni2 2016-09-19T18:22:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200908#M39696 <P>We have following log file which we need to import in Splunk:</P> <PRE><CODE>"cdrRecordType","globalCallID_callManagerId","globalCallID_callId","nodeId","directoryNum","callIdentifier","dateTimeStamp","numberPacketsSent","numberOctetsSent","numberPacketsReceived","numberOctetsReceived","numberPacketsLost","jitter","latency","pkid","directoryNumPartition","globalCallId_ClusterID","deviceName","varVQMetrics" INTEGER,INTEGER,INTEGER,INTEGER,VARCHAR(50),INTEGER,INTEGER,INTEGER,INTEGER,INTEGER,INTEGER,INTEGER,INTEGER,INTEGER,UNIQUEIDENTIFIER,VARCHAR(50),VARCHAR(50),VARCHAR(129),VARCHAR(600) 2,15,2768615,15,"10063114030",259142886,1471391005,827,121400,565,87061,0,0,0,"1014e40e-i061-2ii6-6cbb-q3e610140ec0","PART_FAKE_LINE1","FBSNEUC01","CIPCqcwecoe","MLQK=0.0000;MLQKav=0.0000;MLQKmn=0.0000;MLQKmx=0.0000;MLQKvr=null;CCR=0.0000;ICR=0.0000;ICRmx=0.0000;CS=0;SCS=0" </CODE></PRE> <P>I am ignoring Headers using following config:</P> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[collab_cm_cmr_data] pulldown_type = 1 SHOULD_LINEMERGE = false INDEXED_EXTRACTIONS = CSV FIELD_DELIMITER = , TRANSFORMS-header_nullq = header_nullq FIELD_QUOTE = " NO_BINARY_CHECK = true category = Cisco CMS Ver. 1 description = An comma delimited output of CM CMR file. </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[header_nullq] DEST_KEY = queue REGEX = ^TimeStamp FORMAT = nullqueue </CODE></PRE> <P>Similarly, I want to ignore the second line so I have added following configuration. But it's not working: </P> <P><STRONG>props.conf</STRONG> </P> <PRE><CODE>TRANSFORMS-null = discard_row </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[discard_row] DEST_KEY = queue REGEX=^INTEGER FORMAT = nullqueue </CODE></PRE> <P>SO basically I want to ignore both 1st and 2nd row. Can someone guide me with what is wrong with above config?</P> Mon, 19 Sep 2016 17:43:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200908#M39696 asaste 2016-09-19T17:43:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200909#M39697 <P>You spelled <CODE>nullQueue</CODE> wrong (casing matters). Fix that and restart and BINGO!</P> Mon, 19 Sep 2016 17:47:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200909#M39697 woodcock 2016-09-19T17:47:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200910#M39698 <P>IGNORE: Also, add <CODE>HEADER_MODE = firstline</CODE> to treat first line as header (will not get ingested).</P> Mon, 19 Sep 2016 18:22:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200910#M39698 somesoni2 2016-09-19T18:22:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200911#M39699 <P>The problem is there is a header on the firstline (indicates field names) and a "typer" as the second line (describing data types). It is the 2nd "typer" line that needs to be ignored.</P> Mon, 19 Sep 2016 18:35:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200911#M39699 woodcock 2016-09-19T18:35:09Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200912#M39700 <P>Ohh I misread. I take that back.</P> Mon, 19 Sep 2016 18:42:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200912#M39700 somesoni2 2016-09-19T18:42:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200913#M39701 <P>HI,<BR /> I tried this, but No success</P> <PRE><CODE>[header_nullq] DEST_KEY = queue REGEX = ^TimeStamp FORMAT = nullQueue [discard_row] DEST_KEY = queue REGEX= ^INTEGER FORMAT = nullQueue </CODE></PRE> Mon, 19 Sep 2016 18:43:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200913#M39701 asaste 2016-09-19T18:43:33Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200914#M39702 <P>The question is not really clear. It looks like you want to use the first line as a csv field name input, and ignore the second line.<BR /> If that is the case, then you should be able to ignore the second line with props.conf (no entry in transforms required):</P> <PRE><CODE>props.conf HEADER_FIELD_LIINE_NUMBER = 2 </CODE></PRE> <P>This is assuming that "INTEGER,INTEGER,INTEGER,INTEGER,VARCHAR(50),INTEGER,INTEGER,INTEGER,INTEGER,INTEGER,INTEGER,INTEGER,INTEGER,INTEGER,UNIQUEIDENTIFIER,VARCHAR(50),VARCHAR(50),VARCHAR(129),VARCHAR(600)" is line number 2.</P> Mon, 19 Sep 2016 19:06:29 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200914#M39702 lukejadamec 2016-09-19T19:06:29Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200915#M39703 <P>It ONLY effects data that comes in AFTER the splunk restart after you updated it. Once data hits the indexer, it is immutable and will stay in that format forever. Also, I don't see that <CODE>^TimeStamp</CODE> will ever match anything (not in your example data, anyway).</P> Mon, 19 Sep 2016 19:32:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200915#M39703 woodcock 2016-09-19T19:32:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200916#M39704 <P>Sorry if i made confusion while putting my question. Yes, I want to use the first line as a csv field name input, and ignore the second line.</P> <P>I tried following 2 options separately as well, but no success</P> <P>HEADER_FIELD_LINE_NUMBER = 2</P> <P>PREAMBLE_REGEX = ^INTEGER</P> Tue, 29 Sep 2020 11:02:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200916#M39704 asaste 2020-09-29T11:02:44Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200917#M39705 <P>Yes, after changes I restarted Splunk and modified input file so that it can be again consumed by SPlunk. But that didn't helped.<BR /> Thanks for pointing out ^TimeStamp </P> Tue, 20 Sep 2016 13:31:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200917#M39705 asaste 2016-09-20T13:31:08Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200918#M39706 <P>I found similar problem on another thread , now I am keeping eye on that thread as well</P> <P><A href="https://answers.splunk.com/answers/209824/how-to-get-splunk-to-ignore-the-second-line-of-a-l.html#comment-452615">https://answers.splunk.com/answers/209824/how-to-get-splunk-to-ignore-the-second-line-of-a-l.html#comment-452615</A></P> Tue, 20 Sep 2016 13:33:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200918#M39706 asaste 2016-09-20T13:33:43Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200919#M39707 <P>I took your 3 lines, made multiple copies of line3 to grow the file, and then tried these configs (no transforms.conf)</P> <PRE><CODE>inputs.conf [monitor://C:\temp\Splunk\test\ignoreLine2\test.txt] disabled = 0 index = test sourcetype = testtype props.conf [testtype] pulldown_type=1 SHOULD_LINEMERGE=false INDEXED_EXTRACTIONS=CSV HEADER_FIELD_LINE_NUMBER=2 FIELD_DELIMITER=, FIELD_QUOTE=" NO_BINARY_CHECK=true </CODE></PRE> <P>The first time I tried without HEADER_FIELD_LINE_NUMBER=2 and I did get the line 2 in the test index.<BR /><BR /> The second time, I added the HEADER_FIELD_LINE_NUMBER=2 and replaced INTEGER with INTEGER2 and 2,15, with 3,16, so that the input file was changed enough to reindex, and after a Splunk restart did not get INTEGER2 in the index, but did get the events with 3,16.<BR /> Perhaps you are confusing Splunk with your transforms method of removing line 2.</P> Tue, 29 Sep 2020 11:02:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200919#M39707 lukejadamec 2020-09-29T11:02:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200920#M39708 <P>Hi, I just test your suggestion, but with your configuration the fields are not present in splunk. Instead of that you will find fields like INTEGER, VARCHAR and so on. So for me is not a working solution. </P> <P>Does somebody found another way? </P> Tue, 21 Feb 2017 13:01:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-and-transforms-conf-to-ignore-the/m-p/200920#M39708 krusty 2017-02-21T13:01:22Z