https://community.splunk.com/t5/Getting-Data-In/Timestamp-index-do-not-consider-hours/m-p/80542#M16622 <P>I've already done it by setting it in the web interface while importing the new datas...I'll try to attach a screenshot of what I already have...</P> Thu, 21 Jun 2012 10:04:26 GMT nolivieri 2012-06-21T10:04:26Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-index-do-not-consider-hours/m-p/80540#M16620 <P>Hi all,</P> <P>I've a csv with a timestamp like this:</P> <PRE><CODE>2012-05-14 08 </CODE></PRE> <P>which is, of course, in the form:</P> <PRE><CODE>%Y-%m-%d %H </CODE></PRE> <P>Unfortunately, when trying to index it, it only takes the date:</P> <PRE><CODE>14/05/12 00.00.00,000 </CODE></PRE> <P>How can I make it aware of the hour? Obviously it would have minutes and seconds equals to "00"...<BR /> Thanks a lot, bye!!</P> <P>Edit: here is the screenshot: <IMG src="http://img411.imageshack.us/img411/7062/nohour.png" alt="alt text" /></P> Thu, 21 Jun 2012 09:45:31 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-index-do-not-consider-hours/m-p/80540#M16620 nolivieri 2012-06-21T09:45:31Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-index-do-not-consider-hours/m-p/80541#M16621 <P>You need to tell Splunk how to parse the timestamp by providing the appropriate format in the <CODE>TIME_FORMAT</CODE> configuration directive in <CODE>props.conf</CODE>.</P> <PRE><CODE>[my_sourcetype] TIME_FORMAT = %Y-%m-%d %H </CODE></PRE> <P>This will apply to events that get indexed after you've made the changes and restarted Splunk (so events that already exist in the index will not be affected).</P> <P>More information on configuring timestamp recognition here: <A href="http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition">http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition</A></P> Thu, 21 Jun 2012 10:01:10 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-index-do-not-consider-hours/m-p/80541#M16621 Ayn 2012-06-21T10:01:10Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-index-do-not-consider-hours/m-p/80542#M16622 <P>I've already done it by setting it in the web interface while importing the new datas...I'll try to attach a screenshot of what I already have...</P> Thu, 21 Jun 2012 10:04:26 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-index-do-not-consider-hours/m-p/80542#M16622 nolivieri 2012-06-21T10:04:26Z