Getting Data In

How do I format my date/time in a CSV file so that Splunk will recognize it as a timestamp?

mecrass
New Member

I've tried Time_Format= %m/%d/%y %h:%m and i still get a parsing error saying it can't parse 12/01/2015 0:00 which makes no sense because that's exactly as it should be parsed. Any suggestions on what I may be missing? I want to change in my CSV before I upload into Splunk. I've tried changing to date, time, general, everything. It's so basic, I can't see what Splunk's issue is.

Sample:
Date Acct_Number Employee_Id Case_Id Status_Desc
12/1/15 0:00 233657933201 937018 C105138792 CLOSED
12/1/15 0:00 231218910100 851905 C105145259 CLOSED

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

I had to fix this in some logs a long time ago, and I did so by editing the $splunkhome/etc/datetime.xml.

There's a section like this

<define name="_hour" extract="hour">
    <text><![CDATA[([01]?[1-9]|[012][0-3])(?!\d)]]></text>
</define>

Change the [1-9] in the middle to [0-9] like this

<define name="_hour" extract="hour">
    <text><![CDATA[([01]?[0-9]|[012][0-3])(?!\d)]]></text>
</define>

Let us know if that fixed your problem! (It certainly made the test CSV I created with your data in it seem to get properly parsed, so it should be good).

View solution in original post

0 Karma

Richfez
SplunkTrust
SplunkTrust

I had to fix this in some logs a long time ago, and I did so by editing the $splunkhome/etc/datetime.xml.

There's a section like this

<define name="_hour" extract="hour">
    <text><![CDATA[([01]?[1-9]|[012][0-3])(?!\d)]]></text>
</define>

Change the [1-9] in the middle to [0-9] like this

<define name="_hour" extract="hour">
    <text><![CDATA[([01]?[0-9]|[012][0-3])(?!\d)]]></text>
</define>

Let us know if that fixed your problem! (It certainly made the test CSV I created with your data in it seem to get properly parsed, so it should be good).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...