I used the Splunk Add-on Builder to export an add-on that I'm working on but I needed to make a tweak to props.conf and transforms.conf in order to remove the first line of multiple source types (text files) that I'm monitoring in inputs.conf. However, I am getting no results and am unsure why, these are my .conf stanzas.
[assignment_fact]
NO_BINARY_CHECK = true
category = Splunk App Add-on Builder
disabled = false
SHOULD_LINEMERGE = 0
pulldown_type = true
TRANSFORMS-removeheader = removeheaderrow
REPORT-ta_builder_internal_use_table_format_results_for_assignment_fact = ta_builder_internal_use_table_format_results_for_assignment_fact
[removeheaderrow]
REGEX = \A[^\n]*\n
DEST_KEY = queue
FORMAT = nullQueue
You are sending the entire event to the nullQueue. If you want to just get rid of the first line of a multi-line event you have to do it differently.
Try something like:
[removeheaderrow]
REGEX = \A[^\n]*\n([\s\S]+)
FORMAT = $1
DEST_KEY = _raw