I have a CSV file that updates every now and then. I'm monitoring it via Splunk. However, the problem is that the first line of the file contains column names.
for example:
TIME;NAME;CAUSE;MONITOR;
and then comes the values 20190301;thename;problem; 1
I don't need column names to appear as an event. However, I was not able to find a solution that would work, I tried adding following lines in props.conf
HEADER_FIELD_LINE_NUMBER = 1
HEADER_FIELD_DELIMITER = ;
FIELD_DELIMITER = ;
But no success. suggestions?
This is one way you can do it: (ref: https://docs.splunk.com/Documentation/Splunk/7.2.4/Forwarding/Routeandfilterdatad#Discard_specific_e... )
In props.conf, set the TRANSFORMS-null attribute:
[your_sourcetype]
TRANSFORMS-null= discard_header_row
In transforms.conf:
[discard_header_row]
REGEX = ^\s*TIME,
DEST_KEY = queue
FORMAT = nullQueue
Hope this helps
Have you tried the native CSV structured sourcetype in Splunk to parse that? The header wouldd be just fine:
[ csv ]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
KV_MODE=none
SHOULD_LINEMERGE=false
category=Structured
description=Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled=false
pulldown_type=true