Solved: About import(monitor) excluding csv header

oda · ‎10-01-2020

I'm trying to import a csv file Using the monitor function.
The imported csv file will be updated (overwritten).
Since the header line is included in duplicate, I put the setting of "HEADER_FIELD_LINE_NUMBER=1".
Initially it works, but when I reboot it doesn't.
Does anyone know the answer or the issue?

richgalloway · ‎10-01-2020

Please explain "Initially it works, but when I reboot it doesn't." What changes after reboot?

IME, importing CSVs can be problematic because of this. The header line is needed so Splunk knows what the fields are, but then you have duplicate header lines in your search results. One answer is to filter the headers from your searches. Another answer (the one I've used in the past) is to switch to a different file format.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-01-2020

Please explain "Initially it works, but when I reboot it doesn't." What changes after reboot?

IME, importing CSVs can be problematic because of this. The header line is needed so Splunk knows what the fields are, but then you have duplicate header lines in your search results. One answer is to filter the headers from your searches. Another answer (the one I've used in the past) is to switch to a different file format.

---
If this reply helps you, Karma would be appreciated.

About import(monitor) excluding csv header

configuration

troubleshooting

using Splunk Enterprise

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!