i've got a CSV file that has a date that isn't at the start of the line, im trying to get splunk to look for the date but can't get it to work...
Here's a small bit of the data in the CSV file (it's a CSV from the BOM):
IDCJAC0010,086071,2013,02,27,27.6,1,N
IDCJAC0010,086071,2013,02,28,21.4,1,N
IDCJAC0010,086071,2013,03,01,25.1,1,N
IDCJAC0010,086071,2013,03,02,26.9,1,N
IDCJAC0010,086071,2013,03,03,29.1,1,N
IDCJAC0010,086071,2013,03,04,32.7,1,N
The date begins at "2013" (for year), then "03" (month) and then "04" (date).
i've tried using the props thingy to tell splunk where the date is:
# your settings
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
TIME_PREFIX=\{d10},{d6},
i've tried
TIME_PREFIX=\{d6},
or no time prefix and just
TIME_FORMAT=%Y,%m,%d
and
TIME_PREFIX=IDCJAC0010,\d{6},
and
TIME_PREFIX=\{d10},\{d6},
and some other variations which i've now forgotten.
Anyone got any ideas for me? Im sure it's something simple i've missed...
DS
props.conf should look like this
[funnydate]
TIME_PREFIX=^\w{10},\d{6},
TIME_FORMAT=%Y,%m,%d
where funnydate is your sourcetype
Few things to consider
This should have worked : TIME_PREFIX=IDCJAC0010,\d{6},
so maybe the stanza [funnydate]
in props.conf is wrong and not applying the conf - can you post the whole section from props.conf and inputs.conf ?
You cannot define time_prefix and time_format on a universal forwarder - this needs to be done on an indexer / heavy forwarder
When you say {d10} and {d6} you actually mean d{10} and d{6} yeah ?