Solved: Unable to get PREAMBLE_REGEX to work

a212830 · ‎07-24-2019

Hi,

I have a csv file with headers, and a preamble. I already have the fields being discovered, but I'm unable to get both filtered from indexing and hoping someone can help me. Here are examples of the lines that I want filtered:

1) ################################### Perfmon start:

2)#time,pkt_drop_percent,wire_mbits_per_sec.realtime,alerts_per_second,kpackets_wire_per_sec.realtime,avg_bytes_per_wire_packet,patmatch_percent,syns_per_second,synacks_per_second,

Here's my props.conf:

PREAMBLE_REGEX = (^#time.+|^#########+)
ANNOTATE_PUNCT=false
MAX_TIMESTAMP_LOOKAHEAD = 35
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX=^

I think that this should work, but it's not. Any ideas?

a212830 · ‎07-24-2019

Found it. Should have just had ^# as the preamble regex. Still not sure why that didn't work though.

View solution in original post

a212830 · ‎07-24-2019

Found it. Should have just had ^# as the preamble regex. Still not sure why that didn't work though.

Unable to get PREAMBLE_REGEX to work

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

Unable to get PREAMBLE_REGEX to work

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25