Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure inputs.conf and props.conf to monitor multiple CSV files in a directory and recognize timestamp in 2nd column?

ryanng
New Member
‎10-02-2014 11:12 PM

Hey everyone,

I am trying to use Splunk to monitor and index multiple CSVs in a directory (e.g. log1.csv / log2.csv in c:\logs), and use the 2nd column of the CSVs as a timestamp. I have tried playing around with inputs.conf and props.conf but to no avail. Format of timestamp in 2nd column(DAY) of each CSV is %Y-%m-d%.

props.conf

[source::C:\\logs\\*]    
TIMESTAMP_FIELDS = DAY
TIME_FORMAT = %Y-%m-%d

inputs.conf

[monitor://c:\logs]    
disabled = false  
followTail = 0    
sourcetype = csv

can anyone advice me how should i go about getting splunk to parse the 2nd column of every csv as timestamp when indexing (the column headers are the same format/header)

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-04-2014 06:53 AM

Starting off - I wouldn't do the props.conf like that, use the sourcetype instead. Does your CSV have a header? Make sure you include a time as well.

[csv]
TIMESTAMP_FIELDS = DAY, TIME
TIME_FORMAT = %Y-%m-%d %H:%M:%S
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...