Stripping header from input file

jhallman · ‎08-25-2011

Is there a way to strip the header from a data input? This is coming from a universal forwarder

example

this is garbage
this is also garbage
end of garbage
HEADER DB_NAME DB_ID IO
timestamp test_db 1 100000
..
timestamp last_db 10 500000

I want to not index the first 4 lines (3 starting with > and the column heading line)

ogdin · ‎02-13-2014

Use Header-based Index-time field extractions:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime

In your example above, you could use HEADER_FIELD_LINE_NUMBER=4 or if there is garbage before the field names in the header FIELD_HEADER_REGEX=HEADER\s(.*)

davecroto · ‎08-08-2013

hello world two
hello world
pet,phone,street
cow,999-9999,taylor
dog,777-7878,balor
cat,656-5637,main
pig,878-1212,pine

transforms.conf

[HEADER_NULLQ]
REGEX= (pet|world)
DEST_KEY=queue
FORMAT=nullQueue

props.conf

[your sourcetype]
SHOULD_LINEMERGE = False
pulldown_type = 1
TRANSFORMS-HEADER_NULLQ=HEADER_NULLQ

Stripping header from input file

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases

Are you a member of the Splunk Community?

Stripping header from input file

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases