×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
dgustaf
New Member
Member since: ‎02-05-2014
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎02-05-2014
View All

Re: Forwarding logs with a long header and variabl...

by Splunk Employee in Getting Data In
‎02-13-2014 07:31 AM
1 Karma
‎02-13-2014 07:31 AM
1 Karma
Try this: http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime In inputs.conf [monitor:///your-path/filename] sourcetype=header-file In props.conf [header-file] FIELD_DELIMITER=space HEADER_FIELD_DELIMITER=space HEADER_FIELD_LINE_NUMBER=20 NO_BINARY_CHECK=1 SHOULD_LINEMERGE=false Should dump the first 19 lines (the garbage) and use the header found in line 20. If the header is variable length, you can use other methods such as FIELD_HEADER_REGEX. Note this will work on Forwarders and does the header/field mapping at index-time. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM