Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to ignore the titile line of the csv file in the result? and display in a KV format?

William
Path Finder
‎04-05-2010 07:42 AM

I try to add some csv files, which contain data like the followings

Time, ACTION,ORDER_NO, ...

2009-11-2 20:00:00.041,REQUEST,48613840, ...

2009-11-2 20:00:00.041,REQUEST,48613839, ...

2009-11-2 20:00:00.041,REQUEST_ACK,48613840, ...

2009-11-2 20:00:00.041,REQUEST_ACK,48613839, ...

2009-11-2 20:00:00.046,REQUEST,48613841, ...

when I set the input source type as "csv", then the input file can be recognized with an "AutoHeader-1" stanza and a "csv-2" stanza being added to "$Splunk\etc\apps\learned\local\transforms.conf" and "$Splunk\etc\apps\learned\local\props.conf" respectively.

But I still have two problem,

  1. the first line (title line "Time, ACTION,ORDER_NO, ...") will be take as an event also, as follows

    10-4-5 02:49:28.000 _time,ACTION,ORDER_NO, ...

    2009-11-2 20:00:00.074,REQUEST,48613844, ...

    2009-11-2 20:00:00.055,REQUEST_ACK,48613842, ...

    so, how can I remove the title line from the result?

  2. How can I display the result in an KV format?

Reply
1 Solution
Solved! Jump to solution
Solution

BunnyHop
Contributor
‎04-05-2010 01:33 PM

You can add the CHECK_FOR_HEADER = true on the props.conf.

View solution in original post

Reply
Solved! Jump to solution

mike_lebrun
Explorer
‎10-07-2014 09:40 AM

During my research into dealing with the header of a .csv, I've found that CHECK_FOR_HEADER is a deprecated feature and is no longer a best practice for dealing with the header of a .csv file.

http://docs.splunk.com/Documentation/Splunk/5.0.4/releasenotes/Deprecatedfeatures

0 Karma
Reply
Solved! Jump to solution

cmeo
Contributor
‎07-28-2010 05:51 AM

Seriously folks, the solution in answer <1> should be the default behaviour. Why would you want the headers included in your indexed data???

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎08-02-2011 10:43 AM

Do you really want Splunk choosing (own its own) to just drop certain events out of your log files?

Reply
Solved! Jump to solution

BunnyHop
Contributor
‎04-07-2010 02:32 PM

in your props.conf also add this line:

[yoursourcetype]
TRANSFORMS-NoHeader = NoHeader

on your transforms.conf add this:

[NoHeader]
REGEX = Time, ACTION,ORDER_NO, ...
DEST_KEY = queue
FORMAT = nullQueue
Reply
Solved! Jump to solution

bhawkins1
Communicator
‎12-22-2016 08:14 AM

This is the only solution that worked for me.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-05-2010 03:49 PM

  1. I would just leave it there and ignore it/exclude it in your searches, but if you really really want to, you can apply a regex TRANSFORM to strip it out.

  2. Probably would be better if you were more specific about what you are trying to show/find. Splunk can transform results, but it's probably not very useful to simply rewrite the raw event text in a different format. What are you trying do or show with the data itself?

Reply
Solved! Jump to solution
Solution

BunnyHop
Contributor
‎04-05-2010 01:33 PM

You can add the CHECK_FOR_HEADER = true on the props.conf.

Reply
Solved! Jump to solution

William
Path Finder
‎04-07-2010 01:42 PM

thanks, it works for the 2nd question.

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...