Removing header from CSV file

krish5vuda · ‎01-04-2022

I have a CSV file placed in a UF and the CSV data is as follows

'"Name" "userid" "use location" "userdesignation"'

Raj raj-123 Argentina Consultant

Now I have written props and transforms as below but still the header is being ingested

Props:

[Sourcetype]

Should_linemerge=false

Line_Breaker=([\r\n]+)

NO_BINARY_CHECK=true

CHARSET= UTF-8

INDEXED_EXTRACTIONS=CSV

category=structured

description=Comma-separated value format. Set header and other settings in "Delimited Settings"

disabled=false

TRUNCATE=99999

DATETIME_CONFIG=CURRENT

KV_MODE=none

HEADER_FIELD_LINE_NUMBER=1

TRANSFORMS-set=setnull

Transforms.conf

[setnull]

REGEX=(^"NAME".*$) |(^\'\"NAME\".$)

DEST_KEY=queue

FORMAT=nullQueue

Please let me know what changes has to be made so that header is not being ingested

isoutamo · ‎01-04-2022

Have you try this on UF? In UF you cannot use transforms.con and actually you shouldn’t need it as you told that headers are in first row in file. And remember to restart UF after put props.conf there.

krish5vuda · ‎01-04-2022

This conf are in indexer and not in UF

isoutamo · ‎01-04-2022

He is instructions where those files should be in different cases https://wiki.splunk.com/Community:HowIndexingWorks and https://www.aplura.com/assets/pdf/where_to_put_props.pdf.

Removing header from CSV file

administration

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024