Hello,
I have the following little csv file:
time,interface,utilization
2019-11-03,int_a,100
2019-11-04,int_b,200
You can see in contains a header and two rows with the data.
I want to perform index time extraction of the fields. I also want to use timestamp from the time column.
This is my props.conf configuration:
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = time
TIME_FORMAT = %Y-%m-%d
category = Custom
pulldown_type = 1
HEADER_FIELD_LINE_NUMBER = 1
disabled = false
FIELD_HEADER_REGEX =
PREAMBLE_REGEX =
No matter what i do Splunk always indexes the header as well. I don't want that. I have tried the following settings:
PREAMBLE_REGEX - this ignores the header, but then index time field extractions are not performed. Probably because the header is ignored (chicken and egg situation). I can work around this by listing the comma separated field names manually but i want schema on write support which Splunk doesn't seem to provide.
HEADER_FIELD_LINE_NUMBER = 1 Tried this setting which made no difference.
Does anyone know if it is possible to index csv file fields without the header and without defining column names manually in props.conf?
Thank you,
Kiril
... View more