https://community.splunk.com/t5/Getting-Data-In/TIME-FORMAT-it-s-May-not-January/m-p/92957#M19337 <P>Overnight I noticed that my Splunk was suspiciously empty for a specific CSV file which was read in daily.</P> <P>Upon further investigation it turned out this was due to the fact that the file now has data for May 1, or, 01/05/2011....the CSV auto-parsing saw the format for the last half of last month and worked out, properly, that it was Day/Month/Year, (16/04/2011 was pretty obvious) but now, well, it's a bit fuzzier.</P> <P>Reading up in the manuals, it looks like the answer is to set the TIME_FORMAT in props.conf, which I have done with:</P> <PRE> [source::/A/B/C/data/MyFile*] TIME_FORMAT = %d/%m/%y %H:%M </PRE> <P>The source is already being indexed with a inputs.conf entry for "/A/B/C/data"</P> <P>The data looks like:</P> <PRE> 3812305781230123 , 7773213 , 9099, B, 75, INTERNET, 01/05/2011 23:58 </PRE> <P>However, Splunk is still seeing this as data for January.</P> <P>What should I do to fix this?</P> <P>Thanks!</P> Mon, 02 May 2011 00:02:10 GMT howyagoin 2011-05-02T00:02:10Z https://community.splunk.com/t5/Getting-Data-In/TIME-FORMAT-it-s-May-not-January/m-p/92957#M19337 <P>Overnight I noticed that my Splunk was suspiciously empty for a specific CSV file which was read in daily.</P> <P>Upon further investigation it turned out this was due to the fact that the file now has data for May 1, or, 01/05/2011....the CSV auto-parsing saw the format for the last half of last month and worked out, properly, that it was Day/Month/Year, (16/04/2011 was pretty obvious) but now, well, it's a bit fuzzier.</P> <P>Reading up in the manuals, it looks like the answer is to set the TIME_FORMAT in props.conf, which I have done with:</P> <PRE> [source::/A/B/C/data/MyFile*] TIME_FORMAT = %d/%m/%y %H:%M </PRE> <P>The source is already being indexed with a inputs.conf entry for "/A/B/C/data"</P> <P>The data looks like:</P> <PRE> 3812305781230123 , 7773213 , 9099, B, 75, INTERNET, 01/05/2011 23:58 </PRE> <P>However, Splunk is still seeing this as data for January.</P> <P>What should I do to fix this?</P> <P>Thanks!</P> Mon, 02 May 2011 00:02:10 GMT https://community.splunk.com/t5/Getting-Data-In/TIME-FORMAT-it-s-May-not-January/m-p/92957#M19337 howyagoin 2011-05-02T00:02:10Z https://community.splunk.com/t5/Getting-Data-In/TIME-FORMAT-it-s-May-not-January/m-p/92958#M19338 <P>Hi, I think you should use %Y instead of %y , because the year is "2011" (four digits).<BR /> and , if possible, you can use TIME_PREFIX to tell splunk where is the exact date field you want splunk to recognize.</P> Mon, 02 May 2011 02:12:26 GMT https://community.splunk.com/t5/Getting-Data-In/TIME-FORMAT-it-s-May-not-January/m-p/92958#M19338 dmlee 2011-05-02T02:12:26Z https://community.splunk.com/t5/Getting-Data-In/TIME-FORMAT-it-s-May-not-January/m-p/92959#M19339 <P>Hah, thanks, great catch on the %Y. That didn't actually fix my issue, but, the TIME_PREFIX seems to get me closer. There are six fields, comma separated, before my date/time field, so I just need to work out the regex on this -- as some of the fields are empty sometimes, othertimes not (annoying).</P> Mon, 02 May 2011 03:40:44 GMT https://community.splunk.com/t5/Getting-Data-In/TIME-FORMAT-it-s-May-not-January/m-p/92959#M19339 howyagoin 2011-05-02T03:40:44Z https://community.splunk.com/t5/Getting-Data-In/TIME-FORMAT-it-s-May-not-January/m-p/92960#M19340 <P>For the benefit of those reading who may want a concrete example:<BR /> <PRE><BR /> TIME_PREFIX = ^(?:[^\,]+,){6}\s*<BR /> TIME_FORMAT = %d/%m/%Y %H:%M<BR /> </PRE></P> Mon, 28 Sep 2020 09:31:02 GMT https://community.splunk.com/t5/Getting-Data-In/TIME-FORMAT-it-s-May-not-January/m-p/92960#M19340 howyagoin 2020-09-28T09:31:02Z