I have a CSV file that has a header/title section with some interesting information in it (the run, application version, username, etc).

It then has 2 sections of CSV data with the same field names, but one is an exception section and one is the actual data. It looks like this:

Run ID,100
Run Date/Time,6/13/2019 7:07:51 PM
Application Name,
Application Version,1.0.0.0
Protocol Name,
User Name,John Doe

[EXCEPTIONS]
field1,field2,field3,field4
value1,value2,value3,value4

[DETAILS]
field1,field2,field3,field4
value1,value2,,value4

I am trying to avoid writing code to pre parse the data to something a little more Splunk friendly. Any ideas on how to leverage props/transforms to get the Run ID, Timestamp, Username in each line under the 2 csv sections?

We are ok with merging the exceptions and details sections into 1 as we do not necessarily need to distinguish between the 2 sections. But we do need to leverage one of the field rows as the CSV header values.

Help appreciated! 🙂