I have files that are simple CSV.. using a batch to get them into splunk.
Logs look like this..
12-06-2012 23:58:53.738,JBSP_P03,2_SPORTS/WIDEVID,CAM_05,Take,J_LIGHT2,OK
in my props, I have
MAX_TIMESTAMP_LOOKAHEAD = 23
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE_DATE = true
LINE_BREAKER = ([\r\n]+)
TRUNCATE = 999999
KV_MODE = None
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%N
50% of the events get timestamped correctly.
The other 50% get stamped for when the file got copied into the batch folder..
12-06-2012 23:58:53.738,JBSP_P03,2_SPORTS/WIDEVID,CAM_05,Take,J_LIGHT2,OK - Stamped in splunk correctly.
10-08-2004 23:07:27.156,TGQC32N,3_NON/AES1/2,PRFD1912,Take Path,8191,OK - Stamped incorrectly in splunk.
... View more