Parsing Time error while monitoring CSV file

ishaanshekhar · ‎09-21-2015

Dear SPLUNK Community,

I need some help for parsing output time field correctly. I am monitoring the csv file on UF and reading it on Indexer.

Here's the sample how the file looks like:

DB_NAME,STATUS,DATE
DB_1,UP,2015-09-2109:19:03.450
DB_2,DOWN,2015-09-2109:19:04.830
...
...

Configuration Details:

On UF:
inputs.conf:
[monitor://.....<path of file>]
disabled = 0
sourcetype = health

props.conf:

[health]
INDEXED_EXTRACTIONS = csv
HEADER_FIELD_LINE_NUMBER = 1
TIMESTAMP_FIELDS = DATE
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%d%H:%M:%S.%3N
TZ = UTC
SHOULD_LINEMERGE = false

-On Indexer:

 props.conf

[health]
TIME_FORMAT = %Y-%m-%d%H:%M:%S.%3N
TZ = UTC
SHOULD_LINEMERGE = false

Please Note: SPLUNK is still indexing the file, but looks like the timestamp it assigns is of current date, instead of the DATE column value.

Thanks in advance!
Ishaan

ishaanshekhar · ‎09-21-2015

My bad...!

I just noticed that the DATE field was not read by splunkd because I had one header extra in the header line, which literally pushed the DATE values mapped to a wrong column.

Changed that and it is working perfectly.

richgalloway · ‎09-21-2015

Copy the [health] stanza from your forwarder's props.conf file to your indexer and restart the indexer.

---
If this reply helps you, Karma would be appreciated.

Parsing Time error while monitoring CSV file

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio