This has frustrated me for 2 days now. What I want to do is that to monitor a folder containing multiple files and want to exclude first line of each file which has file header. To do so, I want to setup input, create a sourcetype which uses TRANSFORM to send the file header (in the form "##Filename##") line into nullQueue. Here is what I have tried so far.
- Splunk 6 is installed fresh with no data/source/sourcetype.
- Created an input to the folder with just 1 file and defined sourcetype. All this from UI.
- I went to file system and could only find inputs.conf in etc/system/local got updated and have my monitor folder stanza. I couldn't find the props.conf (which in my belief is where sourcetype saved) anywhere which got updated.
- So I created a props.conf manually in etc/system/local to include the TRANSFORM (mentioned below), created transforms.conf with corresponding change and restarted the Splunk.
- Then I placed some new files (after restart is over), the file got indexed but I still see that file header in the file.
inputs.conf [monitor://C:\somesoni2\logs] disabled = false followTail = 0 sourcetype = stypeMain
props.conf
[stypeMain]
BREAK_ONLY_BEFORE = <?xml version="1.0"
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_PREFIX = <TimeStampCol>
pulldown_type = 1
TRANSFORMS-null= setnull
transforms.conf
[setnull]
REGEX = FileName
DEST_KEY = queue
FORMAT = nullQueue
Not sure what to try next. Please suggest.