Solved: Custom timestamps for csv format?

tamduong16 · ‎11-14-2017

I have the following data from csv file that I want to index into splunk.

I want to set the timestamp to be the highlighted portions but if I select auto for timestamp it will grab the first timestamp that it detects. So I modify the props.conf file to add the following line:
TIME_PREFIX=^([^,]*,){4}
which tell it to take the timestamp after the 4th comma. But for some reasons it grabs the 10-27-2017 along with 00:04:44 but skip the 6:20 PM (which is the actual time that i need). Is there anything I could do to avoid this? Thanks!

Genti · ‎11-14-2017

So, it looks like its grabbing the correct field.
Have you provided a TIME_FORMAT?

Splunk can't recognize on its own that 00:04:44 is NOT the correct time. it is the most common sense thing to be the time.
So you need to provide the CORRECT FORMAT.

something like:

TIME_FORMAT="%m-%d-%Y","%I:%M %p"

View solution in original post

Genti · ‎11-14-2017

So, it looks like its grabbing the correct field.
Have you provided a TIME_FORMAT?

Splunk can't recognize on its own that 00:04:44 is NOT the correct time. it is the most common sense thing to be the time.
So you need to provide the CORRECT FORMAT.

something like:

TIME_FORMAT="%m-%d-%Y","%I:%M %p"

tamduong16 · ‎11-14-2017

work like a champ. thanks!

Genti · ‎11-14-2017

huzzah!!!!

Custom timestamps for csv format?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life