Getting Data In

Can you ignore indexing of a header field on a CSV file?

bsantosh
New Member

Hi,
I would like to avoid the indexing of a Header field on a CSV file. How can I do that? Can anyone help me?
thanks and regards,
Santosh

Tags (2)
0 Karma

FrankVl
Ultra Champion

Can you please clarify (perhaps with some sample data) what you want to accomplish? Do you want to ignore some header lines from the CSV file (as the answer by @richgalloway assumes) or do you want to ignore a certain field (so entire column) of the CSV file?

0 Karma

bsantosh
New Member

Hi Frank,

For Ex:

I want to on-board 'test.csv' file to splunk which has the following columns:

Incident Ticket . Location . Tower . Category . Severity
763537 Bangalore S1 Network issue Urgent
783749 London A Operating System . Normal


Now, while reading this CSV data to Splunk, I would like to ignore field from indexing. Only field values (763537, Bangalore, S1, Network Issue, Urgent) needs to be indexed into Splunk.
After indexing, the event should not contain the header fields whereas these fields should be available on the left side under Interesting Fields only.

I hope this might give you a clarity now. regards, Santosh

0 Karma

FrankVl
Ultra Champion

Yeah, so you want to interpret the header line as the field names and not ingest it as an event itself. Then the answer from @richgalloway (or something along those lines) should be the solution.

0 Karma

bsantosh
New Member

Exactly. Thanks Frank for the prompt response.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you use these settings in your props.conf file, the header line should be interpreted as a list of field names and not indexed.

[mysourcetype]
INDEXED_EXTRACTIONS = CSV
HEADER_FIELD_LINE_NUMBER = 0
---
If this reply helps you, Karma would be appreciated.

krish5vuda
Engager

I have tried updating props with INDEXED_EXTRACTIONS = CSV after indexing happened this is not giving me any results and i still can see header in my events

 

I have tried/tested in our dev instance and changed the index name to main in inputs.conf and tested then it is working

 

So my question here is whether this Indexed_extractions = csv doesnt work after the indexing is already done

0 Karma

bsantosh
New Member

Hi, Thanks for the solution. I will check it and reply you back. regards, Santosh

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...