Re: CSV headers appear as event

ninisimonishvil · ‎03-01-2019

I have a CSV file that updates every now and then. I'm monitoring it via Splunk. However, the problem is that the first line of the file contains column names.

for example:

TIME;NAME;CAUSE;MONITOR;

and then comes the values 20190301;thename;problem; 1

I don't need column names to appear as an event. However, I was not able to find a solution that would work, I tried adding following lines in props.conf

HEADER_FIELD_LINE_NUMBER = 1
 HEADER_FIELD_DELIMITER = ;
 FIELD_DELIMITER = ;

But no success. suggestions?

chrisyounger · ‎03-01-2019

This is one way you can do it: (ref: https://docs.splunk.com/Documentation/Splunk/7.2.4/Forwarding/Routeandfilterdatad#Discard_specific_e... )

In props.conf, set the TRANSFORMS-null attribute:

[your_sourcetype]
TRANSFORMS-null= discard_header_row

In transforms.conf:

[discard_header_row]
REGEX = ^\s*TIME,
DEST_KEY = queue
FORMAT = nullQueue

Hope this helps

tiagofbmm · ‎03-01-2019

Have you tried the native CSV structured sourcetype in Splunk to parse that? The header wouldd be just fine:

[ csv ]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
KV_MODE=none
SHOULD_LINEMERGE=false
category=Structured
description=Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled=false
pulldown_type=true

CSV headers appear as event

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms