|
Hello Splunk Community, I uploaded custom CSV files to Splunk for indexing. The CSV Header for each file is being indexed with a time stamp for the day the file is uploaded. I do not want the CSV Header returned in the results. I have looked through the answer.splunk knowledge base and attempted to configure the props.conf and transforms.conf as suggested by other users. I am not achieving the results I desire. I am still indexing the CSV Header as an event when the Header should just be ignored. My Headers include Number, Date Time, Service, Source Port, Source, Destination, Protocol Please help if possible. |
|
You can simply null-queue the event with the header. Look for the section titled: "Filter event data and send to queues" here in the docs http://www.splunk.com/base/Documentation/4.2.2/Deploy/Routeandfilterdatad |
|
I have run into the same issue. I just end up deleting that particular event. Click on the event to isolate it in the results, then just pipe it to delete: <mysearch> | delete Make sure you have the can delete role or else it wont work. Thanks for your help, Although this WILL remove the Header after it is indexed, I have hundreds of CSV files I am collecting and will be indexing for this project. Can someone explain the method to remove the CSV header from being published as an event? Why does splunk assign a datetime to the CSV header?...based off the datetime the file was created? I would like to configure the Splunk instance to monitor a file location for any changes and NOT publish the CSV header as an event. I do not want to have to delete each CSV Header instance as they are indexed or perhaps re-indexed.
(19 Jul '11, 13:58)
srsava
|
