Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

header problem in splunk reading the wrong header

lavanyaanne
Path Finder
‎08-01-2016 01:55 AM

i am using perl script to pull the data from DB. The data is indexed perfectly and it's using the header that i was mentioned in the script. But after some time it's taking the one of the event as the header and it's indexing the data. what might be the problem.
here attaching the inputs and props .please help me

inputs.conf
[script:///opt/li/splunk/etc/apps/input/bin/actions.pl]
interval = 0 */1 * * *
index = _internal
sourcetype = actions
source = actions.pl
disabled = false

[batch:///opt/li/splunk/etc/apps/input/bin/actions_data.psv*]
index = sample
sourcetype = actions
move_policy = sinkhole
disabled = false
crcSalt=

props.conf

[actions]
SHOULD_LINEMERGE=false
INDEXED_EXTRACTIONS=PSV
NO_BINARY_CHECK=true
DATETIME_CONFIG=NONE
CHARSET=auto
disabled=false
category=sample

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lavanyaanne
Path Finder
‎08-01-2016 06:53 AM

hi guys,

i found the solution that in props.conf if i use CHECK_FOR_HEADER=TRUE the events are extracting in the correct manner.

thanx.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-01-2016 06:56 AM

Change from batch to monitor so that the original source file is preserved (this step is not necessary if you have access to the original file through some other means) and then check the source field for the event that contains the header. Once you know the name of the offending file, go back to it and examine it. I believe you will find something in that file that is different from all the other files. There might be a blank line as the first line or some other unexpected characters or formatting. Eliminate the source of this and that will fix your problem.

0 Karma
Reply
Solved! Jump to solution
Solution

lavanyaanne
Path Finder
‎08-01-2016 06:53 AM

hi guys,

i found the solution that in props.conf if i use CHECK_FOR_HEADER=TRUE the events are extracting in the correct manner.

thanx.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...