I try to add some csv files, which contain data like the followings
Time, ACTION,ORDER_NO, ...
2009-11-2 20:00:00.041,REQUEST,48613840, ...
2009-11-2 20:00:00.041,REQUEST,48613839, ...
2009-11-2 20:00:00.041,REQUEST_ACK,48613840, ...
2009-11-2 20:00:00.041,REQUEST_ACK,48613839, ...
2009-11-2 20:00:00.046,REQUEST,48613841, ...
when I set the input source type as "csv", then the input file can be recognized with an "AutoHeader-1" stanza and a "csv-2" stanza being added to "$Splunk\etc\apps\learned\local\transforms.conf" and "$Splunk\etc\apps\learned\local\props.conf" respectively.
But I still have two problem,
the first line (title line "Time, ACTION,ORDER_NO, ...") will be take as an event also, as follows
10-4-5 02:49:28.000 _time,ACTION,ORDER_NO, ...
2009-11-2 20:00:00.074,REQUEST,48613844, ...
2009-11-2 20:00:00.055,REQUEST_ACK,48613842, ...
so, how can I remove the title line from the result?
How can I display the result in an KV format?
... View more