Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you ignore indexing of a header field on a CSV file?

bsantosh
New Member
‎09-18-2018 04:28 AM

Hi,
I would like to avoid the indexing of a Header field on a CSV file. How can I do that? Can anyone help me?
thanks and regards,
Santosh

Tags (2)
0 Karma
Reply

FrankVl
Ultra Champion
‎09-19-2018 05:05 AM

Can you please clarify (perhaps with some sample data) what you want to accomplish? Do you want to ignore some header lines from the CSV file (as the answer by @richgalloway assumes) or do you want to ignore a certain field (so entire column) of the CSV file?

0 Karma
Reply

bsantosh
New Member
‎09-20-2018 12:09 AM

Hi Frank,

For Ex:

I want to on-board 'test.csv' file to splunk which has the following columns:

Incident Ticket . Location . Tower . Category . Severity
763537 Bangalore S1 Network issue Urgent
783749 London A Operating System . Normal

Now, while reading this CSV data to Splunk, I would like to ignore field from indexing. Only field values (763537, Bangalore, S1, Network Issue, Urgent) needs to be indexed into Splunk.
After indexing, the event should not contain the header fields whereas these fields should be available on the left side under Interesting Fields only.

I hope this might give you a clarity now. regards, Santosh

0 Karma
Reply

FrankVl
Ultra Champion
‎09-20-2018 01:32 AM

Yeah, so you want to interpret the header line as the field names and not ingest it as an event itself. Then the answer from @richgalloway (or something along those lines) should be the solution.

0 Karma
Reply

bsantosh
New Member
‎09-20-2018 02:01 AM

Exactly. Thanks Frank for the prompt response.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-18-2018 05:45 AM

If you use these settings in your props.conf file, the header line should be interpreted as a list of field names and not indexed.

[mysourcetype]
INDEXED_EXTRACTIONS = CSV
HEADER_FIELD_LINE_NUMBER = 0
---
If this reply helps you, Karma would be appreciated.
Reply

krish5vuda
Engager
‎01-20-2022 07:42 AM

I have tried updating props with INDEXED_EXTRACTIONS = CSV after indexing happened this is not giving me any results and i still can see header in my events

 

I have tried/tested in our dev instance and changed the index name to main in inputs.conf and tested then it is working

 

So my question here is whether this Indexed_extractions = csv doesnt work after the indexing is already done

0 Karma
Reply

bsantosh
New Member
‎09-19-2018 12:06 AM

Hi, Thanks for the solution. I will check it and reply you back. regards, Santosh

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...