Splunk Search

csv files can't ignore headers

mmekroud
Explorer

Dear all,

Actually working on csv files on Splunk (v6.2.3), i have such troubles to index them correctly,

contains data are like the followings:

filed1; field2; filed3; DATE
content1; content2; content3; 23-02-2015
content4; content5; content6; 24-02-2016
...

So, when I set the input.conf and transforms.conf it recognize my fields but I still get in my search the csv header on the first line of my field , and "DATE" is shown as DATE: DATEcontent1;

bellow my props & transforms configuration

props.conf:

[source::.../report_*.csv]

CHECK_FOR_HEADER = true
SHOULD_LINEMERGE=false
INDEXED_EXTRACTIONS = csv
TIME_FORMAT = %Y-%m-%d
KV_MODE = none
TZ = UTC

report_extract=extract_field

Transforms.conf:

[report_extract=extract_field]
DELIMS = ";"
FIELDS ="filed1","field2","field3","DATE"

thanks in advance for your help,

regards,
mm

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try adding the following to your props.conf file. Then you shouldn't need the transforms.conf stanza.

FIELD_DELIMITER=;
HEADER_FIELD_DELIMITER=;
TIMESTAMP_FIELDS=DATE
TIME_FORMAT=%d-%m-%Y
---
If this reply helps you, Karma would be appreciated.
0 Karma

mmekroud
Explorer

Thank you richgalloway for your reply,
i added what you suggest and removed the transforms.conf , but this time , it doesn't recover any field

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...