Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you ignore indexing of a header field on a CSV file?

bsantosh
New Member
‎09-18-2018 04:28 AM

Hi,
I would like to avoid the indexing of a Header field on a CSV file. How can I do that? Can anyone help me?
thanks and regards,
Santosh

Tags (2)
0 Karma
Reply

FrankVl
Ultra Champion
‎09-19-2018 05:05 AM

Can you please clarify (perhaps with some sample data) what you want to accomplish? Do you want to ignore some header lines from the CSV file (as the answer by @richgalloway assumes) or do you want to ignore a certain field (so entire column) of the CSV file?

0 Karma
Reply

bsantosh
New Member
‎09-20-2018 12:09 AM

Hi Frank,

For Ex:

I want to on-board 'test.csv' file to splunk which has the following columns:

Incident Ticket . Location . Tower . Category . Severity
763537 Bangalore S1 Network issue Urgent
783749 London A Operating System . Normal

Now, while reading this CSV data to Splunk, I would like to ignore field from indexing. Only field values (763537, Bangalore, S1, Network Issue, Urgent) needs to be indexed into Splunk.
After indexing, the event should not contain the header fields whereas these fields should be available on the left side under Interesting Fields only.

I hope this might give you a clarity now. regards, Santosh

0 Karma
Reply

FrankVl
Ultra Champion
‎09-20-2018 01:32 AM

Yeah, so you want to interpret the header line as the field names and not ingest it as an event itself. Then the answer from @richgalloway (or something along those lines) should be the solution.

0 Karma
Reply

bsantosh
New Member
‎09-20-2018 02:01 AM

Exactly. Thanks Frank for the prompt response.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-18-2018 05:45 AM

If you use these settings in your props.conf file, the header line should be interpreted as a list of field names and not indexed.

[mysourcetype]
INDEXED_EXTRACTIONS = CSV
HEADER_FIELD_LINE_NUMBER = 0
---
If this reply helps you, Karma would be appreciated.
Reply

krish5vuda
Engager
‎01-20-2022 07:42 AM

I have tried updating props with INDEXED_EXTRACTIONS = CSV after indexing happened this is not giving me any results and i still can see header in my events

 

I have tried/tested in our dev instance and changed the index name to main in inputs.conf and tested then it is working

 

So my question here is whether this Indexed_extractions = csv doesnt work after the indexing is already done

0 Karma
Reply

bsantosh
New Member
‎09-19-2018 12:06 AM

Hi, Thanks for the solution. I will check it and reply you back. regards, Santosh

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...