CSV Timestamp Problem

harald_leitl · ‎05-26-2014

Hi,

I have a problem with extracting the timestamp from an csv file.

Somehow Splunk recognizes the DATE as Date and Time.

Here is a sample of my CSV Log file:

123456;textA;08.03.10 07:54:43;textB;textC;textD

Here is the result I get from the search:

08.03.10 08:03:10,000

123456;textA;08.03.10 07:54:43;textB;textC;textD

As you can see date and time is the same.

Here is what I expect to see:

08.03.10 07:54:43,000

123456;textA;08.03.10 07:54:43;textB;textC;textD

My props.conf:

[myCSVsourcetype]

TRANSFORMS-null=setnull
TIME_FORMAT = %d.%m.%y %%H:%M:%S
TIME_PREFIX = ^\d+\;\S+\;

My transforms.conf: (to remove header)

[setnull]
REGEX = ^(.*\n){1}
DEST_KEY = queue
FORMAT = nullQueue

what am I doing wrong?

why does splunk not recognize the time from the log?

using Splunk 6.0.2.

CSV file is created and moved to an indexing directory once a day.

Thanks!

harald_leitl · ‎05-28-2014

changed the typo

lguinn2 · ‎05-26-2014

You have a typo in your time format:

TIME_FORMAT = %d.%m.%Y %%H:%M:%S

should be

TIME_FORMAT = %d.%m.%y %H:%M:%S

Also, are you sure that textA will never have any whitespace characters? Perhaps your time prefix should be

TIME_PREFIX=.*?;.*?;

harald_leitl · ‎05-26-2014

my bad, was a typo in my question. i do have %d.%m.%y %H:%M:%S configured in my props.conf.
I also tried your TIME_PREFIX regex, didn't work. Somehow Splunk always recognizes the date as date and time as I described above. any other idea? thanks.

CSV Timestamp Problem

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk