Hi,
I have a CSV file with header that is monitored by Splunk. Rows are correctly read but the headers are also include as a event row. I just want to have the header as extraction fields (which already works at the same time).
I tried several ideas using props.conf without any success. I also had a look to the similar questions already asked by other users.
My last props.conf looks like:
[mysourcetype]
INDEXED_EXTRACTIONS = csv
HEADER_FIELD_LINE_NUMBER = 1
HEADER_FIELD_DELIMITER = ","
FIELD_DELIMITER = ","
FIELD_HEADER_REGEX = hostname,SCSI logical unit,DeviceID,SCSIBus,SCSIPort,SCSITargetId
I hope someone can help sorting out that.
Thanks,
SirHill
↧