https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-CSV-with-header/m-p/66014#M96946 <P>Hey everyone. First, thanks for helping with all of my newbie questions, I really appreciate it. Right now I am trying to feed .CSV files into splunk. Each csv is set up in the following format:</P> <PRE><CODE>TIMESTAMP,HEADERITEM1,...,LASTHEADER R1TIMESTAMP,R1DATA2,...,R1LASTDATA R2TIMESTAMP,R2DATA2,...,R2LASTDATA R3TIMESTAMP,R3DATA2,...,R3LASTDATA R4TIMESTAMP,R4DATA2,...,R4LASTDATA </CODE></PRE> <P>I am trying to remove or just ignore the header line, but it still keeps getting indexed. I have set up my props.conf file to look like this:</P> <PRE><CODE>[sip-acl] REPORT-sipaclparse=sip-acl_parse TRANSFORMS-null=setnullsip-acl </CODE></PRE> <P>And the transforms.conf file to look like this:</P> <PRE><CODE>[sip-acl_parse] DELIMS="," FIELDS="TIMESTAMP", "HEADERITEM1", ... ,"LASTHEADER" [setnullsip-acl] REGEX=TIMESTAMP,HEADERITEM1 DEST_KEY=nullQueue FORMAT=nullQueue AT=nullQueue </CODE></PRE> <P>Can anyone tell me what I'm doing wrong? I'd appreciate the help. Thanks!</P> Thu, 07 Oct 2010 21:22:15 GMT msarro 2010-10-07T21:22:15Z https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-CSV-with-header/m-p/66014#M96946 <P>Hey everyone. First, thanks for helping with all of my newbie questions, I really appreciate it. Right now I am trying to feed .CSV files into splunk. Each csv is set up in the following format:</P> <PRE><CODE>TIMESTAMP,HEADERITEM1,...,LASTHEADER R1TIMESTAMP,R1DATA2,...,R1LASTDATA R2TIMESTAMP,R2DATA2,...,R2LASTDATA R3TIMESTAMP,R3DATA2,...,R3LASTDATA R4TIMESTAMP,R4DATA2,...,R4LASTDATA </CODE></PRE> <P>I am trying to remove or just ignore the header line, but it still keeps getting indexed. I have set up my props.conf file to look like this:</P> <PRE><CODE>[sip-acl] REPORT-sipaclparse=sip-acl_parse TRANSFORMS-null=setnullsip-acl </CODE></PRE> <P>And the transforms.conf file to look like this:</P> <PRE><CODE>[sip-acl_parse] DELIMS="," FIELDS="TIMESTAMP", "HEADERITEM1", ... ,"LASTHEADER" [setnullsip-acl] REGEX=TIMESTAMP,HEADERITEM1 DEST_KEY=nullQueue FORMAT=nullQueue AT=nullQueue </CODE></PRE> <P>Can anyone tell me what I'm doing wrong? I'd appreciate the help. Thanks!</P> Thu, 07 Oct 2010 21:22:15 GMT https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-CSV-with-header/m-p/66014#M96946 msarro 2010-10-07T21:22:15Z https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-CSV-with-header/m-p/66015#M96947 <P>Looks like your transformer your using to drop the header isn't quite right. Try this instead:</P> <PRE><CODE>[setnullsip-acl] REGEX = ^TIMESTAMP,HEADERITEM1 DEST_KEY=queue FORMAT=nullQueue </CODE></PRE> <P>I'm assuming that your regex is correct. I recommend using an external regex testing utility for this kind of thing. I use one all the time and it has saved me from tons of headaches.</P> Thu, 07 Oct 2010 21:26:07 GMT https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-CSV-with-header/m-p/66015#M96947 Lowell 2010-10-07T21:26:07Z https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-CSV-with-header/m-p/66016#M96948 <P>That worked perfectly, thank you so much!</P> Thu, 07 Oct 2010 21:46:33 GMT https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-CSV-with-header/m-p/66016#M96948 msarro 2010-10-07T21:46:33Z