Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

CHECK_FOR_HEADER identifying incorrect delimiter in CSV header

scaster
New Member
‎05-02-2012 07:23 AM

We have a system, Splunk 4.2.1 (build 98164), that scans a directory to read in CSV files, which include comma-delimited header lines.

This usually works fine, but periodically, instead of properly interpreting the header line, the CHECK_FOR_HEADER/AutoHeader function identifies a space as the delimiter, even though there are no spaces in the header line, and creates an AutoHeader in which the entire comma-delimited header is identified as one big field name:

[AutoHeader-11]
DELIMS = " "
FIELDS = "SessionID,AnalyzerIP,AnalyzerID,PopNm,TimeStamp,Date,Hour,Minute,TzOfstMins,TzDst,TzNm,TzDstNm,ClientIP,ServerIP,Protocol,Tag,TimeStampFrac,ProtocolEventID,ID,Proto,Type,Name,Class,TTL,Rdata"

The line in the file is perfectly ordinary, formatted identically to header lines that are processed correctly. In fact, earlier in transforms.conf, the exact same header is identified correctly:

[AutoHeader-7]
DELIMS = ","
FIELDS = "SessionID", "AnalyzerIP", "AnalyzerID", "PopNm", "TimeStamp", "Date", "Hour", "Minute", "TzOfstMins", "TzDst", "TzNm", "TzDstNm", "ClientIP", "ServerIP", "Protocol", "Tag", "TimeStampFrac", "ProtocolEventID", "ID", "Proto", "Type", "Name", "Class", "TTL", "Rdata"

Does anyone have any idea what could cause this?

0 Karma
Reply

ogdin
Splunk Employee
Splunk Employee
‎02-13-2014 09:01 AM

We've deprecated CHECK_FOR_HEADER in Splunk 6 and replaced it with more robust header controls. See:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...