I want to index and search csv files in splunk.
Each file has a header at the first line:
number1,number2, number3,
1,2,3
4,5,6
I've created a custom csv sourcetype in props.conf and defined custom fields i want to use instead of the header in transforms.conf:
props.conf:
[custom-csv]
DATETIME_CONFIG = CURRENT
INDEXED_EXTRACTIONS = csv
NO_BINARY_CHECK = true
category = Structured
pulldown_type = true
SHOULD_LINEMERGE = false
disabled = false
KV_MODE = none
REPORT-custom= REPORT-custom
transforms.conf:
[REPORT-custom]
DELIMS = ","
FIELDS = number1, number2, number3
However when i run a search i can still see the original field names extracted from the header plus the new ones i have defined in transforms.conf.
Is there a way to make Splunk to ignore the header line?
↧