Splunk Enterprise

Splunk parsing day of year incorrectly?

arechenberg
Explorer

Good day.

I am trying to import a CSV into Splunk and specifying a Timestamp format and it appears Splunk is not calculating the day of year properly.

My data has a column called 'Start Time' with values such as 222/06:00:00 I have specified the timestamp fields as Start Time and the Timestamp format as

%j/%H:%M:%S

Splunk correctly identifies the time but it assumes the day/date starts as today (08/15/2016) instead of the specified day of year in the imported data (e.g. 222 is actually 9 Aug. 2016).

I have tested this conversion by editing my CSV so that one of the rows has 001/06:05:04, which should parse to 01/01/2016 06:05:04.000 but instead parses to 08/15/2016 06:05:04.000

I've tried this data import on both Splunk Light Free (6.4.0) and Splunk Enterprise (6.4.2) and the results are the same.

Is this a problem with my data or with the way Splunk is parsing the day of year value?

Thanks,
Andy

0 Karma
1 Solution

lguinn2
Legend

I believe that @sundareshr is correct:
"You [sic] date format doesn't have a year value. Only has day of the year, which occurs every year. So splunk defaults to current date."

The timestamp format must yield a complete and valid date. A partial date will not work. Here is How Timestamp Assignment Works. So you need to get the year into the date somewhere

View solution in original post

lguinn2
Legend

I believe that @sundareshr is correct:
"You [sic] date format doesn't have a year value. Only has day of the year, which occurs every year. So splunk defaults to current date."

The timestamp format must yield a complete and valid date. A partial date will not work. Here is How Timestamp Assignment Works. So you need to get the year into the date somewhere

arechenberg
Explorer

Thanks for the reply Lisa. That was indeed the issue. I added the year in front as such:

  2016/231/06:00:00

Splunk then parsed the timestamp as expected.

Thanks again!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The above format does work for me (splunk 6.2.6). Could you share the props.conf you're trying to user, for the sourcetype. (if using Splunk's add data from ui, go to advanced section on left and copy to clipboard).

0 Karma

sundareshr
Legend

You date format doesn't have a year value. Only has day of the year, which occurs every year. So splunk defaults to current date.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...