Hi,
I receive log file from my servers.
All files are CSVs.
CSVs which contain header + data are well parsed.
However, CSV which are empty an contain only the header following with nothing are not parsed correctly.
Indeed, when empty file are parsed, Splunk parses the headers of the CSV as data.
This is not the bahavior I want.
When I configure the source, I checked to ignore the first line as the first line is always the header.
Do you have any suggestion?
[csv_ad]
DATETIME_CONFIG =
HEADER_FIELD_LINE_NUMBER = 1
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
TIMESTAMP_FIELDS =
hello there,
please read here:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Extractfieldsfromfileswithstructureddata#Only...
maybe worthwhile to work with "no headers"
this answer explains it in more detail:
https://answers.splunk.com/answers/5404/best-way-to-define-fields-for-a-csv-with-no-headers.html
hope it helps