<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Timestamp extraction from CSV files on universal forwarder in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-CSV-files-on-universal-forwarder/m-p/65716#M13197</link>
    <description>&lt;P&gt;That would definitely explain things. The field I was after was about 225 characters into the CSV file.&lt;/P&gt;</description>
    <pubDate>Mon, 17 Dec 2012 19:47:04 GMT</pubDate>
    <dc:creator>jcbrendsel</dc:creator>
    <dc:date>2012-12-17T19:47:04Z</dc:date>
    <item>
      <title>Timestamp extraction from CSV files on universal forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-CSV-files-on-universal-forwarder/m-p/65714#M13195</link>
      <description>&lt;P&gt;I am struggling to get timestamp recognition to work for CSV files.&lt;/P&gt;

&lt;P&gt;First, a bit about my setup.  The CSV files are being processed by a Universal Forwarder and then the data is sent off to the indexer.&lt;/P&gt;

&lt;P&gt;Here is a sample record from the csv source:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;"Estimated","462819316490","050506831222","LineItem","Amazon Elastic Compute Cloud","840814","855132","191235","BoxUsage","RunInstances","us-east-1a","N","$0.065 per M1 Standard Small (m1.small) Linux/UNIX instance-hour (or partial hour)","2012-12-01 00:00:00","2012-12-01 01:00:00","23.00000000","0.0650000000","1.49500000","0.0650000000","1.49500000"
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;On the universal forwarder, I set a custom sourcetype,the props.conf file &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[source::/var/log/billing/462819316490-aws-billing-detailed-line-items-*]
sourcetype = aws-billing-detailed
CHECK_METHOD=mod_time
SHOULD_LINEMERGE = false
TIME_FORMAT=%Y-%M-%D %H:%M:%S
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;The desired behavior would be that Splunk sets the timestamp to be the first of the two time columns in the csv data.  (ie, 2012-12-01 00:00:00) &lt;/P&gt;

&lt;P&gt;The problem is that Splunk is setting the timestamp to the file date.&lt;/P&gt;

&lt;P&gt;What am I doing wrong?&lt;/P&gt;

&lt;P&gt;Jon&lt;/P&gt;</description>
      <pubDate>Mon, 17 Dec 2012 16:17:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-CSV-files-on-universal-forwarder/m-p/65714#M13195</guid>
      <dc:creator>jcbrendsel</dc:creator>
      <dc:date>2012-12-17T16:17:37Z</dc:date>
    </item>
    <item>
      <title>Re: Timestamp extraction from CSV files on universal forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-CSV-files-on-universal-forwarder/m-p/65715#M13196</link>
      <description>&lt;P&gt;The problem likely lies in that the timestamp lies too far into the event. By default Splunk only looks at the first 150 character of each event to find a timestamp. This behaviour is configurable using the &lt;CODE&gt;MAX_TIMESTAMP_LOOKAHEAD&lt;/CODE&gt; directive in props.conf.&lt;/P&gt;</description>
      <pubDate>Mon, 17 Dec 2012 19:24:28 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-CSV-files-on-universal-forwarder/m-p/65715#M13196</guid>
      <dc:creator>Ayn</dc:creator>
      <dc:date>2012-12-17T19:24:28Z</dc:date>
    </item>
    <item>
      <title>Re: Timestamp extraction from CSV files on universal forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-CSV-files-on-universal-forwarder/m-p/65716#M13197</link>
      <description>&lt;P&gt;That would definitely explain things. The field I was after was about 225 characters into the CSV file.&lt;/P&gt;</description>
      <pubDate>Mon, 17 Dec 2012 19:47:04 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-CSV-files-on-universal-forwarder/m-p/65716#M13197</guid>
      <dc:creator>jcbrendsel</dc:creator>
      <dc:date>2012-12-17T19:47:04Z</dc:date>
    </item>
    <item>
      <title>Re: Timestamp extraction from CSV files on universal forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-CSV-files-on-universal-forwarder/m-p/65717#M13198</link>
      <description>&lt;P&gt;Update on this.  Answer by Ayn was helpful in finding a couple of syntax errors, but the primary issue persists.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[source::/var/log/billing/462819316490-aws-billing-detailed-line-items-*]
sourcetype = aws-billing-detailed
CHECK_METHOD = modtime
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = -1
TIME_FORMAT = %Y-%m-%d %H:%M:%S
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Note: I am setting checkmethod = modtime just to make debugging easier. Once I figured this out I will remove it.&lt;/P&gt;

&lt;P&gt;But this is still not properly extracting the time from the field showing in the original data snippet.&lt;/P&gt;</description>
      <pubDate>Mon, 17 Dec 2012 21:00:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-CSV-files-on-universal-forwarder/m-p/65717#M13198</guid>
      <dc:creator>jcbrendsel</dc:creator>
      <dc:date>2012-12-17T21:00:22Z</dc:date>
    </item>
  </channel>
</rss>

