Hey everyone. First, thanks for helping with all of my newbie questions, I really appreciate it. Right now I am trying to feed .CSV files into splunk. Each csv is set up in the following format:
I am trying to remove or just ignore the header line, but it still keeps getting indexed.
I have set up my props.conf file to look like this:
And the transforms.conf file to look like this:
FIELDS="TIMESTAMP", "HEADERITEM1", ... ,"LASTHEADER"
Can anyone tell me what I'm doing wrong? I'd appreciate the help. Thanks!
Looks like your transformer your using to drop the header isn't quite right. Try this instead:
REGEX = ^TIMESTAMP,HEADERITEM1
I'm assuming that your regex is correct. I recommend using an external regex testing utility for this kind of thing. I use one all the time and it has saved me from tons of headaches.
View solution in original post
That worked perfectly, thank you so much!