Hi @prathapkcsc,
Can you please try below rex?? Here I tried to separate First Line and remaining.
<<YOUR SEARCH>> | rex field=_raw "^(?<firstLine>.*)\n.(?<remainingLine>[\s\S]*)$" | table firstLine remainingLine
Thanks
Kamlesh
It probably means that splunk does not see it as a header. Look at the props section about structured data
FIELD_HEADER_REGEX = <regex>
* A regular expression that specifies a pattern for prefixed headers. Note
that the actual header starts after the pattern and it is not included in
the header field.
* This attribute supports the use of the special characters described above.
HEADER_FIELD_LINE_NUMBER = <integer>
* Tells Splunk the line number of the line within the file that contains the
header fields. If set to 0, Splunk attempts to locate the header fields
within the file automatically.
* The default value is set to 0.
I seen this. I made the respective changes also.
What to put here
FIELD_HEADER_REGEX =
Regular expression for your header. Since you have not provided sample for your data, i cannot tell exactly. You can use something like https://regex101.com/#python to help you write a regex.
TYPE Category Count CPU Usage (%)
Data Node Hadoop 26 0.17
Flume Hadoop 9 0.2
ResourceManager Hadoop 2 0.06
Hadoop ZooKeeper 5 0.19
Foyer Hadoop 2 0.28
Splunk Hadoop 1 0.06
RabbitMQ Non-Hadoop 7 0.98
PostGreSQL Non-Hadoop 3 0.11
TC_Server Non-Hadoop 12 0.67
Edge Hadoop 2 0.19
This is my sample data`
Your requirement is better understood with a sample event, and corresponding expected output. (it's confusing when you say you've columns and you want to remove line??)
TYPE Category Count CPU Usage (%)
Data Node Hadoop 26 0.17
Flume Hadoop 9 0.2
ResourceManager Hadoop 2 0.06
Hadoop ZooKeeper 5 0.19
Foyer Hadoop 2 0.28
Splunk Hadoop 1 0.06
RabbitMQ Non-Hadoop 7 0.98
PostGreSQL Non-Hadoop 3 0.11
TC_Server Non-Hadoop 12 0.67
Edge Hadoop 2 0.19
This is my event.
Here, i don't want the 1st column
Hi,
i found a neat solution for this.
Try the following as in this example:
index=_internal | table host source sourcetype | rename host AS " " source AS " " sourcetype AS " "
rename the first field with only one space character, the second with two space characters, the third with three space characters... and so on
This removes the column names 🙂
I downvoted this post because it does not seems like it has anything to do with the question. why would you want your data without any column names?
this was the original request by the poster...
My understanding that his main question is: "How do i remove the 1st line of the event". But I may be wrong. I agree, it is not very clear.
@aliakseidzianisau - Downvoting should be reserved for suggestions/solutions that could be potentially harmful for a Splunk environment or goes completely against known best practices. pyro_wood was attempting to answer the question even though the original poster was vague in their explanation.
my bad. Thanks for clarification!
Sorry. My main requirement is i want to remove the 1st line of the event. which is like this
TYPE Category Count CPU Usage (%)
Data Node Hadoop 26 0.17
Flume Hadoop 9 0.2
ResourceManager Hadoop 2 0.06
Hadoop ZooKeeper 5 0.19
Foyer Hadoop 2 0.28
Splunk Hadoop 1 0.06
RabbitMQ Non-Hadoop 7 0.98
PostGreSQL Non-Hadoop 3 0.11
TC_Server Non-Hadoop 12 0.67
Edge Hadoop 2 0.19