Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Windows UF ignores CSV header until restart

_smp_
Builder
‎05-11-2021 08:59 AM

I have a simple CSV file input on a Windows UF with a header of field names in the top row. The file is overwritten daily with the same name. When I delete the file and restart Splunk, the header row is ignored as expected. But if the UF (v8.0.5) is restarted, the header row will start being indexed. This will continue until I delete the file and restart the Splunk process, when it will begin ignoring the header row again (until the Splunk process is restarted).

My goal is to always ignore the first line of the file, regardless of whether the Splunk process is restarted.

Here is the current iteration of our props.conf. I'm not locked into this config, but I've tried many different combinations and can't seem to find the right one. Any suggestions on what to tweak?

 

[crowdstrike:metrics:cicoverage]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
CHARSET = UTF-8
INDEXED_EXTRACTIONS = csv
KV_MODE = none
disabled = false
HEADER_FIELD_LINE_NUMBER = 1
TZ = UTC
CHECK_FOR_HEADER = true

 

 

Labels (3)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...