Use INDEXED_EXTRACTIONS = CSV
then TIMESTAMP_FIELDS
and TIME_FORMAT
in props.conf
: http://docs.splunk.com/Documentation/Splunk/6.2.2/admin/propsconf
More info about INDEXED_EXTRACTIONS
: http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Extractfieldsfromfileheadersatindextime
Use INDEXED_EXTRACTIONS = CSV
then TIMESTAMP_FIELDS
and TIME_FORMAT
in props.conf
: http://docs.splunk.com/Documentation/Splunk/6.2.2/admin/propsconf
More info about INDEXED_EXTRACTIONS
: http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Extractfieldsfromfileheadersatindextime
I'll check it out... Cheers!
Just following up... I have the below entry in my props.conf when I try to upload a CSV I get an error in the time column saying "Failed to parse time stamp, defaulting to modtime"
Any ideas?
A sample of the Uploaded column:
7/01/2015 12:51
[csv]
SHOULD_LINEMERGE = False
pulldown_type = true
INDEXED_EXTRACTIONS = csv
KV_MODE = none
category = Structured
TIMESTAMP_FIELDS = Uploaded
TIME_FORMAT = "%m/%d/%Y %H:%M"
description = Comma-separated value format. Set header and other settings in "Delimited Settings"