I've tried Time_Format= %m/%d/%y %h:%m
and i still get a parsing error saying it can't parse 12/01/2015 0:00
which makes no sense because that's exactly as it should be parsed. Any suggestions on what I may be missing? I want to change in my CSV before I upload into Splunk. I've tried changing to date, time, general, everything. It's so basic, I can't see what Splunk's issue is.
Sample:
Date Acct_Number Employee_Id Case_Id Status_Desc
12/1/15 0:00 233657933201 937018 C105138792 CLOSED
12/1/15 0:00 231218910100 851905 C105145259 CLOSED
I had to fix this in some logs a long time ago, and I did so by editing the $splunkhome/etc/datetime.xml.
There's a section like this
<define name="_hour" extract="hour">
<text><![CDATA[([01]?[1-9]|[012][0-3])(?!\d)]]></text>
</define>
Change the [1-9]
in the middle to [0-9]
like this
<define name="_hour" extract="hour">
<text><![CDATA[([01]?[0-9]|[012][0-3])(?!\d)]]></text>
</define>
Let us know if that fixed your problem! (It certainly made the test CSV I created with your data in it seem to get properly parsed, so it should be good).
I had to fix this in some logs a long time ago, and I did so by editing the $splunkhome/etc/datetime.xml.
There's a section like this
<define name="_hour" extract="hour">
<text><![CDATA[([01]?[1-9]|[012][0-3])(?!\d)]]></text>
</define>
Change the [1-9]
in the middle to [0-9]
like this
<define name="_hour" extract="hour">
<text><![CDATA[([01]?[0-9]|[012][0-3])(?!\d)]]></text>
</define>
Let us know if that fixed your problem! (It certainly made the test CSV I created with your data in it seem to get properly parsed, so it should be good).