I have data in los as specified in below sample.
FILEHEADER|^2013-12-18 15:22:07|^v4|^RECORDS
@FIELDS|^FIELD1|^FIELD2|^FIELD3|^FIELD4|^FIELD5
VALUE1.1|^VALUE1.2|^VALUE1.3|^VALUE1.4|^VALUE1.5
VALUE2.1|^VALUE2.2|^VALUE2.3|^VALUE2.4|^VALUE2.5
VALUE3.1|^VALUE3.2|^VALUE3.3|^VALUE3.4|^VALUE3.5
VALUE4.1|^VALUE4.2|^VALUE4.3|^VALUE4.4|^VALUE4.5
As mentioned in http://docs.splunk.com/Documentation/Splunk/6.0/Data/Extractfieldsfromfileheadersatindextime
I tried to extarat field values directly from header.
I used the below configuration in props.conf:
CHECK_FOR_HEADER = true
FIELD_DELIMITER = \|\^
INDEXED_EXTRACTIONS = PSV
PREAMBLE_REGEX = FILEHEADER.*
FIELD_HEADER_REGEX = @FIELDS\|\^
SHOULD_LINEMERGE = false
But doesn't seem to work, can anyone help please??
Field header regex requires a capture group for the text that contains the fields like below:
FIELD_HEADER_REGEX = @FIELDS(.*)
Hi adityapavan18,
your FIELD_HEADER_REGEX
looks not okay, it should be like this:
@FIELDS\|
the expression is pur regex in FIELD_HEADER_REGEX
option, so your ^
was handled as regex command which means Matches the beginning of the string
cheers, MuS
oh was that there before? 🙂 well, yes it should. You could test it if you just use @FIELDS
and double check the sourcetype that it matches.
MuS, i escaped the caret rite..so it will take it a literal ^ and not start of line rite??