Getting Data In

Exclude CSV Header from monitoring and being indexed

royimad
Builder

I'm monitoring files from a local directory on splunk , those files are CSV's files with a header that describe each fields
How to exclude the header from being indexed each time? I think there is an option to do that.
Any idea?

Monitoring Steps:

Step 1:
vi inputs.conf
[monitor:///home/splunk/devicescollect/AgentsReads]
disabled = false
followTail = 0
host = dcpcontroller.wavemark.net
sourcetype = AgentsReads
crcSalt=

The above line will tell splunk to monitor the entire directory created ( folders)
-AgentsReads

Those directories will contains all the files generated and send to splunk
AgentsReads will contain AgentsReads_yyyymmdd.csv files

Step 2:

Vi props.conf
[AgentsReads]
SHOULD_LINEMERGE = false
TRANSFORMS-t03 = AgentsReads-fieldextraction
EXTRACT-sourcefields = /home/splunk/devicescollect/AgentsReads/(?.)_(?.).csv in source
REPORT-AgentsReads = AgentsReads_extractions

Step 3:
Vi transforms.conf
[AgentsReads_extractions]
DELIMS=","
FIELDS=DeviceId,NbrCtlrPings

0 Karma

antlefebvre
Communicator

I haven't tried this, but it looks like it should work if you can regex the header line.

Straight from the deployment manual page 69:

Discard specific events and keep the rest

This example discards all sshd events in /var/log/messages by sending them to
nullQueue:

In props.conf, set the TRANSFORMS-null attribute:

[source::/var/log/messages]

TRANSFORMS-null= setnull

Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue"
and FORMAT to "nullQueue":

[setnull]

REGEX = \[sshd\]

DEST_KEY = queue

FORMAT = nullQueue

That does it.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...