Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Newbie Question - CSV with header
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey everyone. First, thanks for helping with all of my newbie questions, I really appreciate it. Right now I am trying to feed .CSV files into splunk. Each csv is set up in the following format:
TIMESTAMP,HEADERITEM1,...,LASTHEADER
R1TIMESTAMP,R1DATA2,...,R1LASTDATA
R2TIMESTAMP,R2DATA2,...,R2LASTDATA
R3TIMESTAMP,R3DATA2,...,R3LASTDATA
R4TIMESTAMP,R4DATA2,...,R4LASTDATA
I am trying to remove or just ignore the header line, but it still keeps getting indexed. I have set up my props.conf file to look like this:
[sip-acl]
REPORT-sipaclparse=sip-acl_parse
TRANSFORMS-null=setnullsip-acl
And the transforms.conf file to look like this:
[sip-acl_parse]
DELIMS=","
FIELDS="TIMESTAMP", "HEADERITEM1", ... ,"LASTHEADER"
[setnullsip-acl]
REGEX=TIMESTAMP,HEADERITEM1
DEST_KEY=nullQueue
FORMAT=nullQueue
AT=nullQueue
Can anyone tell me what I'm doing wrong? I'd appreciate the help. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like your transformer your using to drop the header isn't quite right. Try this instead:
[setnullsip-acl]
REGEX = ^TIMESTAMP,HEADERITEM1
DEST_KEY=queue
FORMAT=nullQueue
I'm assuming that your regex is correct. I recommend using an external regex testing utility for this kind of thing. I use one all the time and it has saved me from tons of headaches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like your transformer your using to drop the header isn't quite right. Try this instead:
[setnullsip-acl]
REGEX = ^TIMESTAMP,HEADERITEM1
DEST_KEY=queue
FORMAT=nullQueue
I'm assuming that your regex is correct. I recommend using an external regex testing utility for this kind of thing. I use one all the time and it has saved me from tons of headaches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked perfectly, thank you so much!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Mile High Learning with Splunk University, Denver, Colorado
IT Service Intelligence 5.0 Series: Your Guide to the June Launch
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
