Getting Data In

Splunk UFW - Indexing Headers as Events

krisalexroberts
New Member

Apologies as I know this has been asked a few times, but none of the answers I have found seem to work.

I have some fairly simple scripts that output 2 row CSV files, like this:

examplefile.csv
Server,ip_address,latency
Test,192.168.0.1,10ms

The script runs on a RPI and using the UFW, but when the UFW extracts the data, it extracts the top row as an event. I have literally tried everything I can think of (props.conf) - here are some of the examples I've tried

[examplecsv]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
DATETIME_CONFIG=CURRENT
CHECK_FOR_HEADER=true
HEADER_FIELD_LINE_NUMBER=1
HEADER_FIELD_DELIMITER=,
FIELD_DELIMITER=,

And

[examplecsv]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
DATETIME_CONFIG=CURRENT
FIELD_NAMES = server,ip_address,latency

And

    [examplecsv]
    CHARSET=UTF-8
    INDEXED_EXTRACTIONS=csv
    DATETIME_CONFIG=CURRENT
    CHECK_FOR_HEADER=true
    PREAMBLE_REGEX = server,ip_address,latency

And even gone as far as this

[examplecsv]
CHARSET = UTF-8
INDEXED_EXTRACTIONS = csv
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
disabled = false
HEADER_FIELD_LINE_NUMBER = 1
FIELD_NAMES = server,ip_address,latency
PREAMBLE_REGEX = server,ip_address,latency

I've tried every sensible suggestion and combination of the above but each time it indexes the first line as an event, and it's really bugging me now! I guess I'm doing something obviously wrong.

For completeness, here is my inputs.conf:

[default]
host = test-sensor
[monitor:///home/pi/SplunkFiles/examplefile.csv]
index=main
sourcetype=examplecsv

Props.conf and inputs.conf are both on the UFW and if I run the following command the conf appears:sudo ./splunk cmd btool props list --debug | grep /opt/splunkforwarder/etc/system/local/props.conf

Please help me!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...