While trying to get the data from UF to indexer, the header is getting indexed as well. Attached the log file and the input.conf and props.conf configured currently
props.conf:
[linux_secure]
HEADER_FIELD_LINE_NUMBER = 1
FIELD_DELIMITER = ~^~
EVENT_BREAKER = "([\r\n]+)"
inputs.conf
[monitor:///tmp/Patch/*.log]
disabled = 0
index = main
sourcetype = linux_secure
crcSalt = <SOURCE>
log below:
Application~^~Server~^~Pre_Patching_Status~^~Patching_Status~^~Post_Patching_Status~^~Overall_Status
SAP GTS~^~sppgtslapew01~^~Success~^~Success~^~Success~^~Success
SAP GTS~^~sppgtslapew02~^~Success~^~Success~^~Success~^~Success
SAP GTS~^~sppgtsldbew01~^~Success~^~Failed~^~Skipped~^~Failed
Thank you.
Hi @srinivasgowda,
Can you please try with INDEXED_EXTRACTIONS=csv in props.conf?