<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: CSV Timestamp Problem in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-Problem/m-p/178251#M35729</link>
    <description>&lt;P&gt;You have a typo in your time format:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;TIME_FORMAT = %d.%m.%Y %%H:%M:%S
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;should be&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;TIME_FORMAT = %d.%m.%y %H:%M:%S
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Also, are you sure that &lt;STRONG&gt;textA&lt;/STRONG&gt; will never have any whitespace characters? Perhaps your time prefix should be&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;TIME_PREFIX=.*?;.*?;
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Mon, 26 May 2014 18:40:36 GMT</pubDate>
    <dc:creator>lguinn2</dc:creator>
    <dc:date>2014-05-26T18:40:36Z</dc:date>
    <item>
      <title>CSV Timestamp Problem</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-Problem/m-p/178250#M35728</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;I have a problem with extracting the timestamp from an csv file.&lt;/P&gt;

&lt;P&gt;Somehow Splunk recognizes the DATE as Date and Time.&lt;/P&gt;

&lt;P&gt;Here is a sample of my CSV Log file:&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;&lt;EM&gt;123456;textA;08.03.10 07:54:43;textB;textC;textD&lt;/EM&gt;&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;Here is the result I get from the search:&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;&lt;EM&gt;08.03.10 08:03:10,000&lt;BR /&gt;&lt;BR /&gt;
123456;textA;08.03.10 07:54:43;textB;textC;textD&lt;/EM&gt;&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;As you can see date and time is the same.&lt;/P&gt;

&lt;P&gt;Here is what I expect to see:&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;&lt;EM&gt;08.03.10 07:54:43,000&lt;BR /&gt;&lt;BR /&gt;
123456;textA;08.03.10 07:54:43;textB;textC;textD&lt;/EM&gt;&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;My &lt;STRONG&gt;props.conf&lt;/STRONG&gt;:&lt;/P&gt;

&lt;P&gt;[myCSVsourcetype]&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;TRANSFORMS-null=setnull
TIME_FORMAT = %d.%m.%y %%H:%M:%S
TIME_PREFIX = ^\d+\;\S+\;
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;My &lt;STRONG&gt;transforms.conf&lt;/STRONG&gt;: (to remove header)&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[setnull]
REGEX = ^(.*\n){1}
DEST_KEY = queue
FORMAT = nullQueue
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;what am I doing wrong? &lt;/P&gt;

&lt;P&gt;why does splunk not recognize the time from the log?&lt;/P&gt;

&lt;P&gt;using Splunk 6.0.2. &lt;/P&gt;

&lt;P&gt;CSV file is created and moved to an indexing directory once a day. &lt;/P&gt;

&lt;P&gt;Thanks!&lt;/P&gt;</description>
      <pubDate>Mon, 26 May 2014 13:17:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-Problem/m-p/178250#M35728</guid>
      <dc:creator>harald_leitl</dc:creator>
      <dc:date>2014-05-26T13:17:52Z</dc:date>
    </item>
    <item>
      <title>Re: CSV Timestamp Problem</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-Problem/m-p/178251#M35729</link>
      <description>&lt;P&gt;You have a typo in your time format:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;TIME_FORMAT = %d.%m.%Y %%H:%M:%S
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;should be&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;TIME_FORMAT = %d.%m.%y %H:%M:%S
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Also, are you sure that &lt;STRONG&gt;textA&lt;/STRONG&gt; will never have any whitespace characters? Perhaps your time prefix should be&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;TIME_PREFIX=.*?;.*?;
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Mon, 26 May 2014 18:40:36 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-Problem/m-p/178251#M35729</guid>
      <dc:creator>lguinn2</dc:creator>
      <dc:date>2014-05-26T18:40:36Z</dc:date>
    </item>
    <item>
      <title>Re: CSV Timestamp Problem</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-Problem/m-p/178252#M35730</link>
      <description>&lt;P&gt;my bad, was a typo in my question. i do have %d.%m.%y %H:%M:%S configured in my props.conf.&lt;BR /&gt;
I also tried your TIME_PREFIX regex, didn't work. Somehow Splunk always recognizes the date as date and time as I described above. any other idea? thanks.&lt;/P&gt;</description>
      <pubDate>Mon, 26 May 2014 20:32:29 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-Problem/m-p/178252#M35730</guid>
      <dc:creator>harald_leitl</dc:creator>
      <dc:date>2014-05-26T20:32:29Z</dc:date>
    </item>
    <item>
      <title>Re: CSV Timestamp Problem</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-Problem/m-p/178253#M35731</link>
      <description>&lt;P&gt;changed the typo&lt;/P&gt;</description>
      <pubDate>Wed, 28 May 2014 16:06:20 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-Problem/m-p/178253#M35731</guid>
      <dc:creator>harald_leitl</dc:creator>
      <dc:date>2014-05-28T16:06:20Z</dc:date>
    </item>
  </channel>
</rss>

