topic Re: Removing 1st line from the event in Splunk Search

Removing 1st line from the event

prathapkcsc — Fri, 16 Jun 2017 19:17:38 GMT

Hi,
I have a event with the column names like Type Category Count CPU in my event 1st line.
I don't want the columns names in my splunk report.
How do i remove the 1st line of the event
Thank you!

Re: Removing 1st line from the event

horsefez — Fri, 16 Jun 2017 19:34:08 GMT

Hi,

i found a neat solution for this.

Try the following as in this example:

index=_internal | table host source sourcetype | rename host AS " " source AS "  " sourcetype AS "   "

rename the first field with only one space character, the second with two space characters, the third with three space characters... and so on

This removes the column names 🙂

Re: Removing 1st line from the event

somesoni2 — Fri, 16 Jun 2017 19:35:19 GMT

Your requirement is better understood with a sample event, and corresponding expected output. (it's confusing when you say you've columns and you want to remove line??)

Re: Removing 1st line from the event

prathapkcsc — Fri, 16 Jun 2017 19:50:20 GMT

TYPE                            Category             Count           CPU Usage (%)
Data Node                       Hadoop                26               0.17
Flume                           Hadoop                9                0.2
ResourceManager                 Hadoop                2                0.06
Hadoop                          ZooKeeper             5                0.19
Foyer                           Hadoop                2                0.28
Splunk                          Hadoop                1                0.06
RabbitMQ                        Non-Hadoop            7                0.98
PostGreSQL                      Non-Hadoop            3                0.11
TC_Server                       Non-Hadoop            12               0.67
Edge                            Hadoop                2                0.19

This is my event.
Here, i don't want the 1st column

Re: Removing 1st line from the event

aliakseidzianis — Fri, 16 Jun 2017 20:40:01 GMT

It probably means that splunk does not see it as a header. Look at the props section about structured data

FIELD_HEADER_REGEX = <regex>
* A regular expression that specifies a pattern for prefixed headers. Note
  that the actual header starts after the pattern and it is not included in
  the header field.
* This attribute supports the use of the special characters described above.

HEADER_FIELD_LINE_NUMBER = <integer>
* Tells Splunk the line number of the line within the file that contains the
  header fields.  If set to 0, Splunk attempts to locate the header fields
  within the file automatically.
* The default value is set to 0.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Structured_Data_Header_Extraction_and_configuration

Re: Removing 1st line from the event

aliakseidzianis — Fri, 16 Jun 2017 20:45:20 GMT

I downvoted this post because it does not seems like it has anything to do with the question. why would you want your data without any column names?

Re: Removing 1st line from the event

prathapkcsc — Tue, 29 Sep 2020 14:31:16 GMT

I seen this. I made the respective changes also.
What to put here
FIELD_HEADER_REGEX =

Re: Removing 1st line from the event

aliakseidzianis — Fri, 16 Jun 2017 20:51:47 GMT

Regular expression for your header. Since you have not provided sample for your data, i cannot tell exactly. You can use something like https://regex101.com/#python to help you write a regex.

Re: Removing 1st line from the event

horsefez — Fri, 16 Jun 2017 20:52:59 GMT

this was the original request by the poster...

Re: Removing 1st line from the event

aliakseidzianis — Fri, 16 Jun 2017 20:55:18 GMT

My understanding that his main question is: "How do i remove the 1st line of the event". But I may be wrong. I agree, it is not very clear.

Re: Removing 1st line from the event

prathapkcsc — Fri, 16 Jun 2017 20:59:54 GMT

TYPE                            Category             Count           CPU Usage (%)
Data Node                       Hadoop                26               0.17
Flume                           Hadoop                9                0.2
ResourceManager                 Hadoop                2                0.06
Hadoop                          ZooKeeper             5                0.19
Foyer                           Hadoop                2                0.28
Splunk                          Hadoop                1                0.06
RabbitMQ                        Non-Hadoop            7                0.98
PostGreSQL                      Non-Hadoop            3                0.11
TC_Server                       Non-Hadoop            12               0.67
Edge                            Hadoop                2                0.19

This is my sample data`

Re: Removing 1st line from the event

prathapkcsc — Fri, 16 Jun 2017 21:01:56 GMT

Sorry. My main requirement is i want to remove the 1st line of the event. which is like this

TYPE                            Category             Count           CPU Usage (%)
Data Node                       Hadoop                26               0.17
Flume                           Hadoop                9                0.2
ResourceManager                 Hadoop                2                0.06
Hadoop                          ZooKeeper             5                0.19
Foyer                           Hadoop                2                0.28
Splunk                          Hadoop                1                0.06
RabbitMQ                        Non-Hadoop            7                0.98
PostGreSQL                      Non-Hadoop            3                0.11
TC_Server                       Non-Hadoop            12               0.67
Edge                            Hadoop                2                0.19

Re: Removing 1st line from the event

aaraneta_splunk — Fri, 16 Jun 2017 21:17:46 GMT

@aliakseidzianisau - Downvoting should be reserved for suggestions/solutions that could be potentially harmful for a Splunk environment or goes completely against known best practices. pyro_wood was attempting to answer the question even though the original poster was vague in their explanation.

Re: Removing 1st line from the event

aliakseidzianis — Mon, 19 Jun 2017 13:59:44 GMT

my bad. Thanks for clarification!

Re: Removing 1st line from the event

kamlesh_vaghela — Tue, 20 Jun 2017 05:06:03 GMT

Hi @prathapkcsc,

Can you please try below rex?? Here I tried to separate First Line and remaining.

<<YOUR SEARCH>> | rex field=_raw "^(?<firstLine>.*)\n.(?<remainingLine>[\s\S]*)$" |  table firstLine remainingLine

Thanks
Kamlesh