Hey everyone,
I am trying to use Splunk to monitor and index multiple CSVs in a directory (e.g. log1.csv / log2.csv in c:\logs), and use the 2nd column of the CSVs as a timestamp. I have tried playing around with inputs.conf and props.conf but to no avail. Format of timestamp in 2nd column(DAY) of each CSV is %Y-%m-d%.
props.conf
[source::C:\\logs\\*]
TIMESTAMP_FIELDS = DAY
TIME_FORMAT = %Y-%m-%d
inputs.conf
[monitor://c:\logs]
disabled = false
followTail = 0
sourcetype = csv
can anyone advice me how should i go about getting splunk to parse the 2nd column of every csv as timestamp when indexing (the column headers are the same format/header)
... View more