Removing 1st line from the event

prathapkcsc · ‎06-16-2017

Hi,
I have a event with the column names like Type Category Count CPU in my event 1st line.
I don't want the columns names in my splunk report.
How do i remove the 1st line of the event
Thank you!

kamlesh_vaghela · ‎06-19-2017

Hi @prathapkcsc,

Can you please try below rex?? Here I tried to separate First Line and remaining.

<<YOUR SEARCH>> | rex field=_raw "^(?<firstLine>.*)\n.(?<remainingLine>[\s\S]*)$" |  table firstLine remainingLine

Thanks
Kamlesh

aliakseidzianis · ‎06-16-2017

It probably means that splunk does not see it as a header. Look at the props section about structured data

FIELD_HEADER_REGEX = <regex>
* A regular expression that specifies a pattern for prefixed headers. Note
  that the actual header starts after the pattern and it is not included in
  the header field.
* This attribute supports the use of the special characters described above.

HEADER_FIELD_LINE_NUMBER = <integer>
* Tells Splunk the line number of the line within the file that contains the
  header fields.  If set to 0, Splunk attempts to locate the header fields
  within the file automatically.
* The default value is set to 0.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Structured_Data_Header_Extraction...

prathapkcsc · ‎06-16-2017

I seen this. I made the respective changes also.
What to put here
FIELD_HEADER_REGEX =

aliakseidzianis · ‎06-16-2017

Regular expression for your header. Since you have not provided sample for your data, i cannot tell exactly. You can use something like https://regex101.com/#python to help you write a regex.

prathapkcsc · ‎06-16-2017

TYPE                            Category             Count           CPU Usage (%)
Data Node                       Hadoop                26               0.17
Flume                           Hadoop                9                0.2
ResourceManager                 Hadoop                2                0.06
Hadoop                          ZooKeeper             5                0.19
Foyer                           Hadoop                2                0.28
Splunk                          Hadoop                1                0.06
RabbitMQ                        Non-Hadoop            7                0.98
PostGreSQL                      Non-Hadoop            3                0.11
TC_Server                       Non-Hadoop            12               0.67
Edge                            Hadoop                2                0.19

This is my sample data`

somesoni2 · ‎06-16-2017

Your requirement is better understood with a sample event, and corresponding expected output. (it's confusing when you say you've columns and you want to remove line??)

prathapkcsc · ‎06-16-2017

TYPE                            Category             Count           CPU Usage (%)
Data Node                       Hadoop                26               0.17
Flume                           Hadoop                9                0.2
ResourceManager                 Hadoop                2                0.06
Hadoop                          ZooKeeper             5                0.19
Foyer                           Hadoop                2                0.28
Splunk                          Hadoop                1                0.06
RabbitMQ                        Non-Hadoop            7                0.98
PostGreSQL                      Non-Hadoop            3                0.11
TC_Server                       Non-Hadoop            12               0.67
Edge                            Hadoop                2                0.19

This is my event.
Here, i don't want the 1st column

horsefez · ‎06-16-2017

Hi,

i found a neat solution for this.

Try the following as in this example:

index=_internal | table host source sourcetype | rename host AS " " source AS "  " sourcetype AS "   "

rename the first field with only one space character, the second with two space characters, the third with three space characters... and so on

This removes the column names 🙂

aliakseidzianis · ‎06-16-2017

I downvoted this post because it does not seems like it has anything to do with the question. why would you want your data without any column names?

horsefez · ‎06-16-2017

this was the original request by the poster...

aliakseidzianis · ‎06-16-2017

My understanding that his main question is: "How do i remove the 1st line of the event". But I may be wrong. I agree, it is not very clear.

aaraneta_splunk · ‎06-16-2017

@aliakseidzianisau - Downvoting should be reserved for suggestions/solutions that could be potentially harmful for a Splunk environment or goes completely against known best practices. pyro_wood was attempting to answer the question even though the original poster was vague in their explanation.

aliakseidzianis · ‎06-19-2017

my bad. Thanks for clarification!

prathapkcsc · ‎06-16-2017

Sorry. My main requirement is i want to remove the 1st line of the event. which is like this

TYPE                            Category             Count           CPU Usage (%)
Data Node                       Hadoop                26               0.17
Flume                           Hadoop                9                0.2
ResourceManager                 Hadoop                2                0.06
Hadoop                          ZooKeeper             5                0.19
Foyer                           Hadoop                2                0.28
Splunk                          Hadoop                1                0.06
RabbitMQ                        Non-Hadoop            7                0.98
PostGreSQL                      Non-Hadoop            3                0.11
TC_Server                       Non-Hadoop            12               0.67
Edge                            Hadoop                2                0.19

Removing 1st line from the event

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM