Getting Data In

timestamp equals to none for CSV file [ unable to get a date field as a timestamp]

mmekroud
Explorer

Hello,
I am trying to get splunk to parse the timestamps properly in my CSV, II Here are the first lines of the CSV :

FIELD1;FIELD2;FIELD3;FIELD4;FIELD5;FIELD6;FIELD7;FIELD8;FIELD9;FIELD10;DATE
LM649357315;;3L00053;;SSL;DIRAH;1;0;0;0;03/06/2016
DR49JJ54362908;;5B00206;;RRM;KINO;26;1;0;2;03/06/2016

When i apply my props.conf and transforms.conf, the fields are getting right, but the timestamp still none, and _time field get the indexed time period

could you please help me in this case,


props.conf
[source::.../my_csv_file.csv]

INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_PREFIX=^([^;]*;){10}
TIMESTAMP_FIELDS = DATE
TIME_FORMAT = %d/%m/%Y
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

Report-1 = data_extract


transforms.conf
[data_extract]
DELIMS = ";"
FIELDS = "FIELD1";"FIELD2";"FIELD3";"FIELD4";"FIELD5";"FIELD6";"FIELD7";"FIELD8";"FIELD9";"FIELD10";"DATE"

thanks in advance,

regards,
mm

0 Karma

jeffland
SplunkTrust
SplunkTrust

You should omit TIME_PREFIX for csv data. By giving TIMESTAMP_FIELDS, you're already pointing to where the timestamp should be read as %d/%m/%Y.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...