I'm monitoring files from a local directory on splunk , those files are CSV's files with a header that describe each fields
How to exclude the header from being indexed each time? I think there is an option to do that.
Any idea?
Monitoring Steps:
Step 1:
vi inputs.conf
[monitor:///home/splunk/devicescollect/AgentsReads]
disabled = false
followTail = 0
host = dcpcontroller.wavemark.net
sourcetype = AgentsReads
crcSalt=
The above line will tell splunk to monitor the entire directory created ( folders)
-AgentsReads
Those directories will contains all the files generated and send to splunk
AgentsReads will contain AgentsReads_yyyymmdd.csv files
Step 2:
Vi props.conf
[AgentsReads]
SHOULD_LINEMERGE = false
TRANSFORMS-t03 = AgentsReads-fieldextraction
EXTRACT-sourcefields = /home/splunk/devicescollect/AgentsReads/(?
REPORT-AgentsReads = AgentsReads_extractions
Step 3:
Vi transforms.conf
[AgentsReads_extractions]
DELIMS=","
FIELDS=DeviceId,NbrCtlrPings
I haven't tried this, but it looks like it should work if you can regex the header line.
Straight from the deployment manual page 69:
Discard specific events and keep the rest
This example discards all sshd events in /var/log/messages by sending them to
nullQueue:
In props.conf, set the TRANSFORMS-null attribute:
[source::/var/log/messages]
TRANSFORMS-null= setnull
Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue"
and FORMAT to "nullQueue":
[setnull]
REGEX = \[sshd\]
DEST_KEY = queue
FORMAT = nullQueue
That does it.