Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure inputs.conf and props.conf to monitor multiple CSV files in a directory and recognize timestamp in 2nd column?

ryanng
New Member
‎10-02-2014 11:12 PM

Hey everyone,

I am trying to use Splunk to monitor and index multiple CSVs in a directory (e.g. log1.csv / log2.csv in c:\logs), and use the 2nd column of the CSVs as a timestamp. I have tried playing around with inputs.conf and props.conf but to no avail. Format of timestamp in 2nd column(DAY) of each CSV is %Y-%m-d%.

props.conf

[source::C:\\logs\\*]    
TIMESTAMP_FIELDS = DAY
TIME_FORMAT = %Y-%m-%d

inputs.conf

[monitor://c:\logs]    
disabled = false  
followTail = 0    
sourcetype = csv

can anyone advice me how should i go about getting splunk to parse the 2nd column of every csv as timestamp when indexing (the column headers are the same format/header)

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-04-2014 06:53 AM

Starting off - I wouldn't do the props.conf like that, use the sourcetype instead. Does your CSV have a header? Make sure you include a time as well.

[csv]
TIMESTAMP_FIELDS = DAY, TIME
TIME_FORMAT = %Y-%m-%d %H:%M:%S
0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...