How to extract the date from CSV to use as the _ti...

bibhutig · ‎11-13-2015

Date Time Sail Date Ship_Code Duration Activity_Code Book_Type Cabin # Channel Id Location Code 
20151023 000001 151116 FS 5 NBK I R57 IC IC

Let me explain the scenario in details. I am very new to Splunk and have a very basic understanding.
I am monitoring a particular folder for my system log file. The first entry in that file is Activity_Time and it starts from midnight.
Time Column of the CSV file has data which I am reading in a sorted order.

Time
1
1
1
1
1
2
2
2
6
6
6
6
12
14
16
16
16
16
16

When I upload this data to Splunk and try to display an incremental chart of count, Splunk shows the count based on the data's _indextime. Eg, if I upload or Splunk reads the above data at 10 PM, in the graph, all values come as values for 10 PM, but this is not the fact. The actual time is the activity time which I want to get accounted for that count.

sundareshr · ‎11-13-2015

What do you have in the props.conf and transforms.conf? You will need to specify the column that has time values. If you did the upload from the data inputs UI. There is a step where you can select the sourcetype and define timefield. Hope this helps.

How to extract the date from CSV to use as the _time field?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...