Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Inconsistent indexing time on CSV monitor

swamysanjanaput
Explorer
‎01-28-2020 08:55 PM

We have been using daily CSV exports from our "X" monitoring servers that we then display on our performance board each morning.
The" X" server runs an export of current tickets at 06:30 each morning which is exported to a CSV in a location monitored by Splunk.

Recently, the records have been indexed at inconsistent times, causing issues with our graphs.
Although the report always runs at 0630, some records are not being indexed until 12:00 the same day

Note: The csv files are consistently created at 0630 and then not touched until they're rotated out after 7 days.

Eg. 34 events are indexed at 6:30 everyday and 8 events are being indexed at 12 the same day, when further analysed we noticed fields were truncated for one of those 8 events. so tried adding truncate =0 in props.conf and could see all fields being indexed correctly however still facing issues with timestamp for those 8 events.

Could anyone please help or guide me to resolve this timestamp issue? Thanks in advance

The below defined props deployed to HF and UF(note: we are not deploying any configs to our indexers)
[sourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
KV_MODE=none
category=Structured
FIELD_DELIMITER=,
disabled=false
pulldown_type=true

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skalliger
SplunkTrust
SplunkTrust
‎01-29-2020 12:27 AM

What does that CSV look like? Do you have a header in that file with a timestamp field?
If so, make sure to add the parameters TIMESTAMP_FIELDS as well as TIME_FORMAT in the props.conf stanza.

Skalli

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skalliger
SplunkTrust
SplunkTrust
‎01-29-2020 12:27 AM

What does that CSV look like? Do you have a header in that file with a timestamp field?
If so, make sure to add the parameters TIMESTAMP_FIELDS as well as TIME_FORMAT in the props.conf stanza.

Skalli

0 Karma
Reply
Solved! Jump to solution

swamysanjanaput
Explorer
‎01-29-2020 02:21 AM

LastWriteTime Length Name
28/01/2020 6:30 AM 166693 x_alerts_20200128_0630.csv
29/01/2020 6:30 AM 123079 x_alerts_20200129_0630.csv

There is a field in the CSV called TimeRaised but we would like this to be a field in the resultant event, with each individual event having its ingest time recorded as _time. Not sure why only those 8 events having a time stamp as 1/29/2012:00:00.000 PM

0 Karma
Reply
Solved! Jump to solution

skalliger
SplunkTrust
SplunkTrust
‎01-29-2020 02:50 AM

Then you'd rather want to add DATETIME_CONFIG = CURRENT to your props.conf stanza.

0 Karma
Reply
Solved! Jump to solution

swamysanjanaput
Explorer
‎01-30-2020 10:01 PM

Thank you @skalliger it worked!

Reply
Solved! Jump to solution

skalliger
SplunkTrust
SplunkTrust
‎01-31-2020 02:41 AM

Thank you for your feedback! Glad it worked.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...