Trying to index a CSV, but only the first two lines are indexing. I want to skip the first line and start indexing the data from the headers for the columns
Splunk Search output
TYPE Selected.Microsoft.ActiveDirectory.Management.ADAccount,, LastLogonDate,Name,LockedOut
CSV input file
TYPE Selected.Microsoft.ActiveDirectory.Management.ADAccount,, LastLogonDate,Name,LockedOut 25/05/2016 2:13,SPKTest3,TRUE 25/05/2016 2:13,SPKTest4,TRUE
[ADAcount] HEADER_FIELD_LINE_NUMBER=2 INDEXED_EXTRACTIONS = csv FIELD_DELIMITER=,
[monitor:...//test.csv] disabled = false sourcetype =ADAcount index = test
I'm not entirely sure this is the issue but I've seen Splunk trip over timestamps like these before. Splunk seems to expect a leading zero in the hour field of the timestamp. e.g. 25/05/2016 02:13,SPKTest3,TRUE
Furthermore it's good practice to include the timestamp format in props.conf, as this is empty by default.
TIME_FORMAT = <strptime-style format> * Specifies a strptime format string to extract the date. * strptime is an industry standard for designating time formats. * For more information on strptime, see "Configure timestamp recognition" in the online documentation. * TIME_FORMAT starts reading after the TIME_PREFIX. If both are specified, the TIME_PREFIX regex must match up to and including the character before the TIME_FORMAT date. * For good results, the <strptime-style format> should describe the day of the year and the time of day. * Defaults to empty.
Try uploading the CSV via the web interface. This will allow you to preview the data you're about to index. You can modify the time field extraction, headers, etc. from here.