I want to skip first six header lines since they don't have time stamp information to index.please help
McAfee ePO 184.108.40.2066
Server name: XXXXXXXX(XXXXXXXX.XXXX.XXXX.XXXXXXX.com.XX)
Platform: Server 6.2
Physical memory: 16383 MB
20180123154844 I #02828 NAIMSERV PSO load: id=7298 ts=6480670
I'd suggest sending them to nullQueue at index time. The configuration to do this may look something like the below.
TRANSFORMS-removeHeaders = removeHeaders
REGEX = ^[^0-9]
DEST_KEY = queue
FORMAT = nullQueue
Specifically this will drop any line that does not start with a number.
For general direction, consider reading the Route and filter data documentation.