Hi Guys,
I do a data Input from a folder. The folder contains CSV files. Splunk imports all the data in a correct way, except one thing: Splunk imports the header fields as an event... but why?
If I do a table search, the first row is always the same as the header....
inputs.conf:
[monitor://D:\Folder]
disabled = false
host_segment = 16
index = myindex
sourcetype = csv
whitelist = \.csv$
props.conf
[source::D:\Folder\*.csv]
TIME_FORMAT=%y/%m/%d-%H:%M:%S.%3N
document reference -
http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf
on this page, search for
CHECK_FOR_HEADER = [true|false]
Try this one in your props.conf also add this line:
[yoursourcetype]
TRANSFORMS-NoHeader = NoHeader
on your transforms.conf add this:
[NoHeader]
REGEX = Time, ACTION,ORDER_NO, ...
DEST_KEY = queue
FORMAT = nullQueue
This link will contain the information you are after.
http://docs.splunk.com/Documentation/Splunk/6.2.11/Data/Extractfieldsfromfileheadersatindextime
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER = ,
document reference -
http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf
on this page, search for
CHECK_FOR_HEADER = [true|false]
Try this one in your props.conf also add this line:
[yoursourcetype]
TRANSFORMS-NoHeader = NoHeader
on your transforms.conf add this:
[NoHeader]
REGEX = Time, ACTION,ORDER_NO, ...
DEST_KEY = queue
FORMAT = nullQueue
Sorry for my impoliteness, but i am stick of trail and error....
i am not getting you. by "trial and error", you meant, you already tried this ah?
the above one is from this post and six guys upvoted that.
https://answers.splunk.com/answers/1041/how-to-ignore-the-titile-line-of-the-csv-file-in-the-result-...
so, i think this above info is a correct one.
CHeck_for_header is depricated, but i will try the second part... 🙂 thanks
nope. check_for_header is not deprecated.
the latest version 6.4.2 document reference -
http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf
on this page, search for
CHECK_FOR_HEADER = [true|false]
OH Sorry,
they rode it years ago....
http://docs.splunk.com/Documentation/Splunk/5.0.4/releasenotes/Deprecatedfeatures
CHECK_FOR_HEADER props.conf attribute (for index-time field extractions): This feature is deprecated and might be removed in a future release.
my fault
it work´s with the second part:
props.conf
TIMESTAMP_FIELDS = ActualStartTime
transforms.conf
[NoHeader]
REGEX = JobHistoryID,JobID,TaskTypeID
DEST_KEY = queue
FORMAT = nullQueue
Hi @nikkkc
If @inventsekar's answer solved your question, please don't forget to resolve the post by clicking "Accept" directly below the answer. Also, upvote the Answer or comments that you found helpful. Thanks!
Patrick