Apologies as I know this has been asked a few times, but none of the answers I have found seem to work.
I have some fairly simple scripts that output 2 row CSV files, like this:
examplefile.csv
Server,ip_address,latency
Test,192.168.0.1,10ms
The script runs on a RPI and using the UFW, but when the UFW extracts the data, it extracts the top row as an event. I have literally tried everything I can think of (props.conf) - here are some of the examples I've tried
[examplecsv]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
DATETIME_CONFIG=CURRENT
CHECK_FOR_HEADER=true
HEADER_FIELD_LINE_NUMBER=1
HEADER_FIELD_DELIMITER=,
FIELD_DELIMITER=,
And
[examplecsv]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
DATETIME_CONFIG=CURRENT
FIELD_NAMES = server,ip_address,latency
And
[examplecsv]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
DATETIME_CONFIG=CURRENT
CHECK_FOR_HEADER=true
PREAMBLE_REGEX = server,ip_address,latency
And even gone as far as this
[examplecsv]
CHARSET = UTF-8
INDEXED_EXTRACTIONS = csv
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
disabled = false
HEADER_FIELD_LINE_NUMBER = 1
FIELD_NAMES = server,ip_address,latency
PREAMBLE_REGEX = server,ip_address,latency
I've tried every sensible suggestion and combination of the above but each time it indexes the first line as an event, and it's really bugging me now! I guess I'm doing something obviously wrong.
For completeness, here is my inputs.conf:
[default]
host = test-sensor
[monitor:///home/pi/SplunkFiles/examplefile.csv]
index=main
sourcetype=examplecsv
Props.conf and inputs.conf are both on the UFW and if I run the following command the conf appears:`sudo ./splunk cmd btool props list --debug | grep /opt/splunkforwarder/etc/system/local/props.conf`
Please help me!
↧