Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Problems with CSV timestamps

kooixiuhong
New Member
‎07-03-2018 01:06 AM

Hi, I have some csv files on my Splunk index. The files are named with a date like xxxxx20180703.csv . In the csv files there is a field with a time in 12:30:45 PM format. The timestamp is able to pickup the date and time. However I have an issues where on some of the files(not all) it detects 11pm properly but then it treats 12 AM as the next day and any time after that will be labeled as the next day as well.

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎07-03-2018 09:36 AM

You could use a custom datetime.xml file and reference it from your props.conf file. Below is an example I used where I had a similar issue. The data I was working with had a time in the data, but the date was in the file name. My filenames looked something like the following:

filename2018_07_03.txt

I just copied and pasted an existing definition that was similar and tweaked it in. You need to change the name, the extract as well if the order is different, and the regex to extract the values.

<define name="_masheddate3" extract="year, month, day">
    <text><![CDATA[source::.*?/sampledata/\w+(\d{4})_(\d{2})_(\d{2})\.txt]]></text>
</define>
0 Karma
Reply

kooixiuhong
New Member
‎07-03-2018 07:33 PM

Splunk have no problem reading the date and time. My problem is that for one file, Splunk reads 11pm and treats any events pass midnight as the next day and not the same day. It only mysteriously happens for one csv file and the rest are read perfectly.

0 Karma
Reply

niketn
Legend
‎07-03-2018 06:48 AM

Would the following help?
https://answers.splunk.com/answers/557841/how-to-extract-date-from-filename-and-add-it-with.html

Have you defined TIME_FORMAT as per your time field in the csv file field?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-03-2018 06:02 AM

It would be helpful to see some sample events.
What are the props.conf settings for that sourcetype?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kooixiuhong
New Member
‎07-03-2018 07:31 PM

I've used the csv sourcetype. It is able to correctly read the date and time for most of the files. It is just the first file I am having issue with for some reason.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2018 05:33 AM

What is different about the first file?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...