HEADER_FIELD_LINE_NUMBER = 1 not working

srinivasgowda · ‎02-12-2021

While trying to get the data from UF to indexer, the header is getting indexed as well. Attached the log file and the input.conf and props.conf configured currently

props.conf:

[linux_secure]
HEADER_FIELD_LINE_NUMBER = 1
FIELD_DELIMITER = ~^~
EVENT_BREAKER = "([\r\n]+)"

inputs.conf
[monitor:///tmp/Patch/*.log]
disabled = 0
index = main
sourcetype = linux_secure
crcSalt = <SOURCE>

log below:

Application~^~Server~^~Pre_Patching_Status~^~Patching_Status~^~Post_Patching_Status~^~Overall_Status
SAP GTS~^~sppgtslapew01~^~Success~^~Success~^~Success~^~Success
SAP GTS~^~sppgtslapew02~^~Success~^~Success~^~Success~^~Success
SAP GTS~^~sppgtsldbew01~^~Success~^~Failed~^~Skipped~^~Failed

Thank you.

scelikok · ‎02-12-2021

Hi @srinivasgowda,

Can you please try with INDEXED_EXTRACTIONS=csv in props.conf?

If this reply helps you an upvote and "Accept as Solution" is appreciated.

HEADER_FIELD_LINE_NUMBER = 1 not working

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation

HEADER_FIELD_LINE_NUMBER = 1 not working

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...