Solved: Re: Unable to get PREAMBLE_REGEX to work

a212830 · ‎07-24-2019

Hi,

I have a csv file with headers, and a preamble. I already have the fields being discovered, but I'm unable to get both filtered from indexing and hoping someone can help me. Here are examples of the lines that I want filtered:

1) ################################### Perfmon start:

2)#time,pkt_drop_percent,wire_mbits_per_sec.realtime,alerts_per_second,kpackets_wire_per_sec.realtime,avg_bytes_per_wire_packet,patmatch_percent,syns_per_second,synacks_per_second,

Here's my props.conf:

PREAMBLE_REGEX = (^#time.+|^#########+)
ANNOTATE_PUNCT=false
MAX_TIMESTAMP_LOOKAHEAD = 35
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX=^

I think that this should work, but it's not. Any ideas?

a212830 · ‎07-24-2019

Found it. Should have just had ^# as the preamble regex. Still not sure why that didn't work though.

View solution in original post

a212830 · ‎07-24-2019

Found it. Should have just had ^# as the preamble regex. Still not sure why that didn't work though.

Unable to get PREAMBLE_REGEX to work

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Are you a member of the Splunk Community?

Unable to get PREAMBLE_REGEX to work

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025