https://community.splunk.com/t5/Getting-Data-In/CSV-timestamp-extraction-issue/m-p/179060#M35885 <P>Thanks for your reply.<BR /> I tried this using data preview and advanced mode (pros.conf) but it shows the same result. I am using splunk 6.0.2. Anything else I can try?</P> Sun, 09 Mar 2014 06:03:17 GMT sains 2014-03-09T06:03:17Z https://community.splunk.com/t5/Getting-Data-In/CSV-timestamp-extraction-issue/m-p/179058#M35883 <P>I am indexing a simple CSV file local on the spunk server. I am trying to extract the correct time stamp from the CSV file (every line is an event) but splunk keep using the file's modified date as the timestamp. Below is the sample line from the csv file and the regex I am trying. what am I doing wrong here?<BR /> Sample line<BR /> "03/04/2014","58.71","*",""," xxxxxxxxxxx9682"</P> <P>regex I have tried so far<BR /> \d{2}/\d{2}/\d{4}<BR /> ^"\d{2}/\d{2}/\d{4}"<BR /> "\d{2}/\d{2}/\d{4}"</P> <P>Also tried the following time format</P> <P>%m/%d/%Y</P> Sun, 09 Mar 2014 04:46:00 GMT https://community.splunk.com/t5/Getting-Data-In/CSV-timestamp-extraction-issue/m-p/179058#M35883 sains 2014-03-09T04:46:00Z https://community.splunk.com/t5/Getting-Data-In/CSV-timestamp-extraction-issue/m-p/179059#M35884 <P>I would use Splunk's data preview to help with this. But add this stanza to <CODE>props.conf</CODE> and you should be okay. BTW, this assumes that you set the sourcetype to "myCSV" in <CODE>inputs.conf</CODE></P> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[myCSV] SHOULD_LINEMERGE = false MAX_TIMESTAMP_LOOKAHEAD = 15 TIME_FORMAT = %m/%d/%Y INDEXED_EXTRACTIONS = CSV FIELD_NAMES = tstamp, field1, field2, field3, ccnum </CODE></PRE> <P>The last 2 lines may not apply if you are not using Splunk 6.</P> Sun, 09 Mar 2014 05:35:29 GMT https://community.splunk.com/t5/Getting-Data-In/CSV-timestamp-extraction-issue/m-p/179059#M35884 lguinn2 2014-03-09T05:35:29Z https://community.splunk.com/t5/Getting-Data-In/CSV-timestamp-extraction-issue/m-p/179060#M35885 <P>Thanks for your reply.<BR /> I tried this using data preview and advanced mode (pros.conf) but it shows the same result. I am using splunk 6.0.2. Anything else I can try?</P> Sun, 09 Mar 2014 06:03:17 GMT https://community.splunk.com/t5/Getting-Data-In/CSV-timestamp-extraction-issue/m-p/179060#M35885 sains 2014-03-09T06:03:17Z https://community.splunk.com/t5/Getting-Data-In/CSV-timestamp-extraction-issue/m-p/179061#M35886 <P>It works if my csv file has time stamp in addition to date e.g. "03/04/2014 00:00:00".<BR /> Any way to do it with just the date stamp?</P> Sun, 09 Mar 2014 21:34:43 GMT https://community.splunk.com/t5/Getting-Data-In/CSV-timestamp-extraction-issue/m-p/179061#M35886 sains 2014-03-09T21:34:43Z https://community.splunk.com/t5/Getting-Data-In/CSV-timestamp-extraction-issue/m-p/179062#M35887 <P>Hi</P> <P>short test with "your" data in data preview mode </P> <PRE><CODE>Specify timestamp format (strptime) = %m/%d/%Y Timestamp is always prefaced by a pattern = ^" </CODE></PRE> <P>results to the following props.conf</P> <PRE><CODE>TIME_FORMAT=%m/%d/%Y TIME_PREFIX=^" </CODE></PRE> <P>works for me.</P> Mon, 10 Mar 2014 09:55:35 GMT https://community.splunk.com/t5/Getting-Data-In/CSV-timestamp-extraction-issue/m-p/179062#M35887 nekb1958 2014-03-10T09:55:35Z https://community.splunk.com/t5/Getting-Data-In/CSV-timestamp-extraction-issue/m-p/179063#M35888 <P>This worked!. I thought I tried this before but might have missed something. thanks for your help.</P> Mon, 10 Mar 2014 15:44:53 GMT https://community.splunk.com/t5/Getting-Data-In/CSV-timestamp-extraction-issue/m-p/179063#M35888 sains 2014-03-10T15:44:53Z