Hi,
On server with Splunk Universal Forwarder installed we are monitoring cvs log with a header and lines in the following format:
"Status","Device Name","IP Address","Site","Last Backup Date"
"Success","Active Directory","10.123.456.78","Global","30-04-2020 20:11:05"
"Failure","Active Directory","10.123.456.89","Global","30-04-2020 20:11:06"
Splunk ingests "Header" line even with the following header related parameters in the props.conf:
[cvs_custom_sourcetype]
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
INDEXED_EXTRACTIONS = csv
HEADER_FIELD_LINE_NUMBER = 1
HEADER_FIELD_DELIMITER = ,
HEADER_FIELD_QUOTE = "
FIELD_QUOTE = "
KV_MODE = none
Any suggestions why it is happening?