Hi Splunkers,
I have a structure data on .csv that contains the follows fields:
2014/10/01-07:16:31,0.121,1.1,S,0.0,0,1,1,1,0,0,1,0,1,S
2014/10/01-07:16:31 - it's my timestamp.
I tried add data on Splunk but I can't recognise the timestamp with my regex:
My regex is:
\d{4}\/\d{2}\/\d{2}\-\d{2}\:\d{2}\:\d{2}
I verified on http://www.regexr.com/.
this is my props.conf
TIME_PREFIX = \d{4}\/\d{2}\/\d{2}\-\d{2}\:\d{2}\:\d{2}
FIELD_DELIMITER = ,
FIELD_QUOTE = '
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
disabled = false
pulldown_type = true
How can I edit my configuration to recognize the timestamp?
TIME_PREFIX
tells Splunk what to skip/ignore when searching for a timestamp. Because your events start with a timestamp, you do not need that setting at all so leave it out and try this:
TIME_FORMAT=%y/%m/%d-%H:%M:%S
TIME_PREFIX
tells Splunk what to skip/ignore when searching for a timestamp. Because your events start with a timestamp, you do not need that setting at all so leave it out and try this:
TIME_FORMAT=%y/%m/%d-%H:%M:%S
Hi Woodcock,
I made a mistake.
Thank you for your help
Cheers!