topic Re: Extracting Timestamp From csv in Getting Data In

Extracting Timestamp From csv

RicoSuave — Thu, 31 Mar 2011 23:00:07 GMT

Hello. I'm having an issue when indexing a csv file. The format of the data is like this.

Employee,Date,Dept,Hours,Hour type,shift

Chuck Norris,Sat Jan 01 2011,10,hourtype,shift

etc

When i upload the file, splunk extracts each row as an event and does proper field extraction, but, it timestamps all of those events with the upload time of the file, intead of assigning it a timestamp using the date column. I tried the solution in this link to no effect: http://answers.splunk.com/questions/2672/defining-timestamp-on-data-from-csv-file

The odd thing is that another csv that gets indexed in nearly the same format, gets timestamped correctly. This csv is generated by a script. The only difference is that it has an additional column with a ticket number. Even after i tried modifying my csv with the same column, it still doesn't extract the timestamp correctly.

Re: Extracting Timestamp From csv

jbsplunk — Thu, 31 Mar 2011 23:09:56 GMT

Could you edit this post to include the configuration you are referring to in your props.conf? It would be helpful if we could see what you've attempted.

Re: Extracting Timestamp From csv

hazekamp — Thu, 31 Mar 2011 23:21:13 GMT

You should be able to do this with a few index-time properties. TIME_PREFIX tells Splunk where to start looking for a time match, and TIME_FORMAT tells Splunk what format to use:

## props.conf
[<your_sourcetype>]
TIME_PREFIX = ([^,]+),
TIME_FORMAT = %a %b %d %Y

Additional references if needed:

http://www.splunk.com/base/Documentation/latest/Admin/Propsconf

http://docs.python.org/library/time.html

Re: Extracting Timestamp From csv

RicoSuave — Thu, 07 Apr 2011 05:41:21 GMT

I tried this and it did not work. Is there anything else you recommend?

Re: Extracting Timestamp From csv

hazekamp — Mon, 28 Sep 2020 09:27:13 GMT

Joetron, I just indexed your sample log above with the TIME_PREFIX and TIME_FORMAT properties above and everything looks good. What specifically didn't work? Be sure to specify these properties on indexer or full forwarder.

Re: Extracting Timestamp From csv

RicoSuave — Thu, 14 Apr 2011 02:08:16 GMT

So i have a csv with hundreds of lines in the same format i specified above, but the lines have different dates. When i index that csv, splunk doesn't extract the timestamp individually from the date column in the csv, instead it assigns all the events the same time. That time being when the file was indexed.