Hi,
I have a problem with extracting the timestamp from an csv file.
Somehow Splunk recognizes the DATE as Date and Time.
Here is a sample of my CSV Log file:
123456;textA;08.03.10 07:54:43;textB;textC;textD
Here is the result I get from the search:
08.03.10 08:03:10,000
123456;textA;08.03.10 07:54:43;textB;textC;textD
As you can see date and time is the same.
Here is what I expect to see:
08.03.10 07:54:43,000
123456;textA;08.03.10 07:54:43;textB;textC;textD
My props.conf:
[myCSVsourcetype]
TRANSFORMS-null=setnull
TIME_FORMAT = %d.%m.%y %%H:%M:%S
TIME_PREFIX = ^\d+\;\S+\;
My transforms.conf: (to remove header)
[setnull]
REGEX = ^(.*\n){1}
DEST_KEY = queue
FORMAT = nullQueue
what am I doing wrong?
why does splunk not recognize the time from the log?
using Splunk 6.0.2.
CSV file is created and moved to an indexing directory once a day.
Thanks!
changed the typo
You have a typo in your time format:
TIME_FORMAT = %d.%m.%Y %%H:%M:%S
should be
TIME_FORMAT = %d.%m.%y %H:%M:%S
Also, are you sure that textA will never have any whitespace characters? Perhaps your time prefix should be
TIME_PREFIX=.*?;.*?;
my bad, was a typo in my question. i do have %d.%m.%y %H:%M:%S configured in my props.conf.
I also tried your TIME_PREFIX regex, didn't work. Somehow Splunk always recognizes the date as date and time as I described above. any other idea? thanks.