Refine your search:

how to ignore the titile line of the csv file in the result? and display in a KV format?

1
1

I try to add some csv files, which contain data like the followings

Time, ACTION,ORDER_NO, ...

2009-11-2 20:00:00.041,REQUEST,48613840, ...

2009-11-2 20:00:00.041,REQUEST,48613839, ...

2009-11-2 20:00:00.041,REQUEST_ACK,48613840, ...

2009-11-2 20:00:00.041,REQUEST_ACK,48613839, ...

2009-11-2 20:00:00.046,REQUEST,48613841, ...

when I set the input source type as "csv", then the input file can be recognized with an "AutoHeader-1" stanza and a "csv-2" stanza being added to "$Splunk\etc\apps\learned\local\transforms.conf" and "$Splunk\etc\apps\learned\local\props.conf" respectively.

But I still have two problem,

  1. the first line (title line "Time, ACTION,ORDER_NO, ...") will be take as an event also, as follows

    10-4-5 02:49:28.000 _time,ACTION,ORDER_NO, ...

    2009-11-2 20:00:00.074,REQUEST,48613844, ...

    2009-11-2 20:00:00.055,REQUEST_ACK,48613842, ...

    so, how can I remove the title line from the result?

  2. How can I display the result in an KV format?

asked 05 Apr '10, 07:42

William's gravatar image

William
908
accept rate: 75%

edited 05 Apr '10, 15:46

gkanapathy's gravatar image

gkanapathy ♦
26.2k1622
4 Answers:
oldestnewestmost voted
1

You can add the CHECK_FOR_HEADER = true on the props.conf.

link

answered 05 Apr '10, 13:33

BunnyHop's gravatar image

BunnyHop
7254423
accept rate: 25%

thanks, it works for the 2nd question.

(07 Apr '10, 13:42) William
2

in your props.conf also add this line:

[yoursourcetype]
TRANSFORMS-NoHeader = NoHeader

on your transforms.conf add this:

[NoHeader]
REGEX = Time, ACTION,ORDER_NO, ...
DEST_KEY = queue
FORMAT = nullQueue
link

answered 07 Apr '10, 14:32

BunnyHop's gravatar image

BunnyHop
7254423
accept rate: 25%

edited 20 Apr '10, 20:26

0

  1. I would just leave it there and ignore it/exclude it in your searches, but if you really really want to, you can apply a regex TRANSFORM to strip it out.

  2. Probably would be better if you were more specific about what you are trying to show/find. Splunk can transform results, but it's probably not very useful to simply rewrite the raw event text in a different format. What are you trying do or show with the data itself?

link

answered 05 Apr '10, 15:49

gkanapathy's gravatar image

gkanapathy ♦
26.2k1622
accept rate: 42%

0

Seriously folks, the solution in answer <1> should be the default behaviour. Why would you want the headers included in your indexed data???

link

answered 28 Jul '10, 05:51

cmeo's gravatar image

cmeo
1307
accept rate: 0%

Do you really want Splunk choosing (own its own) to just drop certain events out of your log files?

(02 Aug '11, 10:43) Lowell ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×351
×186
×95

Asked: 05 Apr '10, 07:42

Seen: 1,440 times

Last updated: 02 Aug '11, 10:43

Related questions

How do I configure data inputs for .csv files with dynamic field headers for a new event on each line

CSV field extraction on a deployed app

splunk field extraction csv

.CSV file and lookup field

How to display latest value of CSV file?

Which is faster and which is smaller - csv or kv

All fields from a lookup.csv file appear except the date field?

Indexed CSV wont line break?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.