Hello Splunk Community,
I uploaded custom CSV files to Splunk for indexing. The CSV Header for each file is being indexed with a time stamp for the day the file is uploaded. I do not want the CSV Header returned in the results. I have looked through the answer.splunk knowledge base and attempted to configure the props.conf and transforms.conf as suggested by other users. I am not achieving the results I desire. I am still indexing the CSV Header as an event when the Header should just be ignored.
My Headers include Number, Date Time, Service, Source Port, Source, Destination, Protocol
Please help if possible.
You can simply null-queue the event with the header. Look for the section titled: "Filter event data and send to queues" here in the docs http://www.splunk.com/base/Documentation/4.2.2/Deploy/Routeandfilterdatad
answered 20 Jul '11, 07:51
I have run into the same issue. I just end up deleting that particular event. Click on the event to isolate it in the results, then just pipe it to delete:
<mysearch> | delete
Make sure you have the can delete role or else it wont work.
answered 18 Jul '11, 13:44