We have a system, Splunk 4.2.1 (build 98164), that scans a directory to read in CSV files, which include comma-delimited header lines.
This usually works fine, but periodically, instead of properly interpreting the header line, the CHECK_FOR_HEADER/AutoHeader function identifies a space as the delimiter, even though there are no spaces in the header line, and creates an AutoHeader in which the entire comma-delimited header is identified as one big field name:
[AutoHeader-11]
DELIMS = " "
FIELDS = "SessionID,AnalyzerIP,AnalyzerID,PopNm,TimeStamp,Date,Hour,Minute,TzOfstMins,TzDst,TzNm,TzDstNm,ClientIP,ServerIP,Protocol,Tag,TimeStampFrac,ProtocolEventID,ID,Proto,Type,Name,Class,TTL,Rdata"
The line in the file is perfectly ordinary, formatted identically to header lines that are processed correctly. In fact, earlier in transforms.conf, the exact same header is identified correctly:
[AutoHeader-7]
DELIMS = ","
FIELDS = "SessionID", "AnalyzerIP", "AnalyzerID", "PopNm", "TimeStamp", "Date", "Hour", "Minute", "TzOfstMins", "TzDst", "TzNm", "TzDstNm", "ClientIP", "ServerIP", "Protocol", "Tag", "TimeStampFrac", "ProtocolEventID", "ID", "Proto", "Type", "Name", "Class", "TTL", "Rdata"
Does anyone have any idea what could cause this?
... View more