https://community.splunk.com/t5/Splunk-Enterprise/Splunk-parsing-day-of-year-incorrectly/m-p/229375#M241 <P>Good day.</P> <P>I am trying to import a CSV into Splunk and specifying a Timestamp format and it appears Splunk is not calculating the day of year properly.</P> <P>My data has a column called 'Start Time' with values such as <CODE>222/06:00:00</CODE> I have specified the timestamp fields as <CODE>Start Time</CODE> and the Timestamp format as</P> <PRE><CODE>%j/%H:%M:%S </CODE></PRE> <P>Splunk correctly identifies the time but it assumes the day/date starts as today (08/15/2016) instead of the specified day of year in the imported data (e.g. 222 is actually 9 Aug. 2016).</P> <P>I have tested this conversion by editing my CSV so that one of the rows has <CODE>001/06:05:04</CODE>, which should parse to <CODE>01/01/2016 06:05:04.000</CODE> but instead parses to <CODE>08/15/2016 06:05:04.000</CODE></P> <P>I've tried this data import on both Splunk Light Free (6.4.0) and Splunk Enterprise (6.4.2) and the results are the same.</P> <P>Is this a problem with my data or with the way Splunk is parsing the day of year value?</P> <P>Thanks,<BR /> Andy</P> Mon, 15 Aug 2016 17:31:54 GMT arechenberg 2016-08-15T17:31:54Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-parsing-day-of-year-incorrectly/m-p/229375#M241 <P>Good day.</P> <P>I am trying to import a CSV into Splunk and specifying a Timestamp format and it appears Splunk is not calculating the day of year properly.</P> <P>My data has a column called 'Start Time' with values such as <CODE>222/06:00:00</CODE> I have specified the timestamp fields as <CODE>Start Time</CODE> and the Timestamp format as</P> <PRE><CODE>%j/%H:%M:%S </CODE></PRE> <P>Splunk correctly identifies the time but it assumes the day/date starts as today (08/15/2016) instead of the specified day of year in the imported data (e.g. 222 is actually 9 Aug. 2016).</P> <P>I have tested this conversion by editing my CSV so that one of the rows has <CODE>001/06:05:04</CODE>, which should parse to <CODE>01/01/2016 06:05:04.000</CODE> but instead parses to <CODE>08/15/2016 06:05:04.000</CODE></P> <P>I've tried this data import on both Splunk Light Free (6.4.0) and Splunk Enterprise (6.4.2) and the results are the same.</P> <P>Is this a problem with my data or with the way Splunk is parsing the day of year value?</P> <P>Thanks,<BR /> Andy</P> Mon, 15 Aug 2016 17:31:54 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-parsing-day-of-year-incorrectly/m-p/229375#M241 arechenberg 2016-08-15T17:31:54Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-parsing-day-of-year-incorrectly/m-p/229376#M242 <P>You date format doesn't have a year value. Only has day of the year, which occurs every year. So splunk defaults to current date.</P> Mon, 15 Aug 2016 17:55:38 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-parsing-day-of-year-incorrectly/m-p/229376#M242 sundareshr 2016-08-15T17:55:38Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-parsing-day-of-year-incorrectly/m-p/229377#M243 <P>The above format does work for me (splunk 6.2.6). Could you share the props.conf you're trying to user, for the sourcetype. (if using Splunk's add data from ui, go to advanced section on left and copy to clipboard).</P> Mon, 15 Aug 2016 18:15:29 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-parsing-day-of-year-incorrectly/m-p/229377#M243 somesoni2 2016-08-15T18:15:29Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-parsing-day-of-year-incorrectly/m-p/229378#M244 <P>I believe that @sundareshr is correct:<BR /> "You [sic] date format doesn't have a year value. Only has day of the year, which occurs every year. So splunk defaults to current date."</P> <P>The timestamp format must yield a complete and valid date. A partial date will not work. Here is <A href="http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/HowSplunkextractstimestamps">How Timestamp Assignment Works</A>. So you need to get the year into the date somewhere</P> Tue, 16 Aug 2016 20:36:24 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-parsing-day-of-year-incorrectly/m-p/229378#M244 lguinn2 2016-08-16T20:36:24Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-parsing-day-of-year-incorrectly/m-p/229379#M245 <P>Thanks for the reply Lisa. That was indeed the issue. I added the year in front as such:</P> <PRE><CODE> 2016/231/06:00:00 </CODE></PRE> <P>Splunk then parsed the timestamp as expected.</P> <P>Thanks again!</P> Wed, 24 Aug 2016 15:17:40 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-parsing-day-of-year-incorrectly/m-p/229379#M245 arechenberg 2016-08-24T15:17:40Z