Splunk Search

Unable to get PREAMBLE_REGEX to work

a212830
Champion

Hi,

I have a csv file with headers, and a preamble. I already have the fields being discovered, but I'm unable to get both filtered from indexing and hoping someone can help me. Here are examples of the lines that I want filtered:

1) ################################### Perfmon start:

2)#time,pkt_drop_percent,wire_mbits_per_sec.realtime,alerts_per_second,kpackets_wire_per_sec.realtime,avg_bytes_per_wire_packet,patmatch_percent,syns_per_second,synacks_per_second,

Here's my props.conf:

PREAMBLE_REGEX = (^#time.+|^#########+)
ANNOTATE_PUNCT=false
MAX_TIMESTAMP_LOOKAHEAD = 35
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX=^

I think that this should work, but it's not. Any ideas?

0 Karma
1 Solution

a212830
Champion

Found it. Should have just had ^# as the preamble regex. Still not sure why that didn't work though.

View solution in original post

0 Karma

a212830
Champion

Found it. Should have just had ^# as the preamble regex. Still not sure why that didn't work though.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...