https://community.splunk.com/t5/Splunk-Enterprise/Different-timestamp-values-for-the-same-file-indexed/m-p/504749#M2003 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/99982">@peterkn</a>&nbsp;,</P><P>Can you share a few lines of the csv?&nbsp;</P><P>Splunk tries to get a time for each event / row. It seems that is uses a field that not really is a timestamp or fails to get the correct values from it. Maybe some number that could be interpreted as a unix/epoch timestamp.<BR /><BR />You have to tell Splunk where the timestamp is&nbsp; and how to interprete it. Either in the UI or in props.conf.<BR />=&gt;&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition" target="_self">Explained here.</A>&nbsp;</P><P>The "current time" / time when indexing is the last option being used.<BR /><BR />If there is no timestamp, you could add one to each row with (e.g.) sed. If a script copies the file, it would be an easy enhancement.<BR />Or you configure props.conf as decribed <A href="https://community.splunk.com/t5/Getting-Data-In/Using-index-time-as-time-stamp/m-p/51464#M9877" target="_self">here</A> to really use the current time/index time.</P> Wed, 17 Jun 2020 07:56:21 GMT rnowitzki 2020-06-17T07:56:21Z https://community.splunk.com/t5/Splunk-Enterprise/Different-timestamp-values-for-the-same-file-indexed/m-p/504717#M1994 <P>Hi,&nbsp;<BR /><BR />I have a data input (Directory Monitor) for /opt/splunk/data/test<BR /><BR />Everyday a new csv file is copy pasted in this directory, and Splunk would start indexing them.&nbsp;<BR /><BR />However all rows in this csv file are indexed with different timestamp (_time) values. Eg the file has 3382 events indexed, but doing a&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=caseload host=XXXX source="/opt/splunk/data/test/testfile.csv" | stats count by _time</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>would yield something like</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%">_time</TD><TD width="50%">count</TD></TR><TR><TD width="50%"><SPAN>2015-04-17 04:56:49</SPAN></TD><TD width="50%">22</TD></TR><TR><TD width="50%"><SPAN>2016-01-08 19:51:49</SPAN></TD><TD width="50%"><SPAN>33</SPAN></TD></TR><TR><TD width="50%"><SPAN>2016-01-18 12:20:09</SPAN></TD><TD width="50%"><SPAN>11</SPAN></TD></TR><TR><TD width="50%"><SPAN>2016-02-07 21:15:09</SPAN></TD><TD width="50%"><SPAN>18</SPAN></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>shouldn't it be all current time which is "2020-06-17 10:10:10" for instance, instead of various different timestamps, I'm thinking it is trying to find some value per row that represents a timestamp and parse it, but I don't even see any "2015-04-17" in those 22 rows.&nbsp;<BR /><BR />How do I make all the Directory Monitors to index each event using current timestamp?&nbsp;</P> Wed, 17 Jun 2020 02:11:49 GMT https://community.splunk.com/t5/Splunk-Enterprise/Different-timestamp-values-for-the-same-file-indexed/m-p/504717#M1994 peterkn 2020-06-17T02:11:49Z https://community.splunk.com/t5/Splunk-Enterprise/Different-timestamp-values-for-the-same-file-indexed/m-p/504749#M2003 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/99982">@peterkn</a>&nbsp;,</P><P>Can you share a few lines of the csv?&nbsp;</P><P>Splunk tries to get a time for each event / row. It seems that is uses a field that not really is a timestamp or fails to get the correct values from it. Maybe some number that could be interpreted as a unix/epoch timestamp.<BR /><BR />You have to tell Splunk where the timestamp is&nbsp; and how to interprete it. Either in the UI or in props.conf.<BR />=&gt;&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition" target="_self">Explained here.</A>&nbsp;</P><P>The "current time" / time when indexing is the last option being used.<BR /><BR />If there is no timestamp, you could add one to each row with (e.g.) sed. If a script copies the file, it would be an easy enhancement.<BR />Or you configure props.conf as decribed <A href="https://community.splunk.com/t5/Getting-Data-In/Using-index-time-as-time-stamp/m-p/51464#M9877" target="_self">here</A> to really use the current time/index time.</P> Wed, 17 Jun 2020 07:56:21 GMT https://community.splunk.com/t5/Splunk-Enterprise/Different-timestamp-values-for-the-same-file-indexed/m-p/504749#M2003 rnowitzki 2020-06-17T07:56:21Z https://community.splunk.com/t5/Splunk-Enterprise/Different-timestamp-values-for-the-same-file-indexed/m-p/504900#M2025 <P>You're an absolute champion.&nbsp;<BR /><BR />Due to the nature of the data in the file I'm not legally allowed to share it's content unfortunately.&nbsp;<BR /><BR />For those who are interested, instead of modifying/creating props.conf, I changed the timestamp setting from when adding a new file to an index (Settings&gt;Add Data&gt;Upload), select the sourcetype (csv in my case), under Source Type there is a dropdown for Timestamp, my defaulted to "Automatic" so I changed it to "Current", upon clicking "Next" it will ask me to save, select yes, overwrite. This setting will apply to all input monitors, please make sure you restart Splunk.&nbsp;</P><P>Thanks again&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/64317">@rnowitzki</a>&nbsp;</P> Thu, 18 Jun 2020 06:48:59 GMT https://community.splunk.com/t5/Splunk-Enterprise/Different-timestamp-values-for-the-same-file-indexed/m-p/504900#M2025 peterkn 2020-06-18T06:48:59Z https://community.splunk.com/t5/Splunk-Enterprise/Different-timestamp-values-for-the-same-file-indexed/m-p/504907#M2026 <P>You're welcome.<BR /><BR />And you actually changed props.conf with that, but using the UI instead of CLI/vi <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /><BR />Happy splunking.</P> Thu, 18 Jun 2020 07:22:00 GMT https://community.splunk.com/t5/Splunk-Enterprise/Different-timestamp-values-for-the-same-file-indexed/m-p/504907#M2026 rnowitzki 2020-06-18T07:22:00Z