https://community.splunk.com/t5/Getting-Data-In/YYYYMM-timestamp-can-Splunk-extract-time-using-strptime/m-p/234607#M45705 <P>Yeah sorry i was on my mobile so I didnt have a chance to look it up.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/Deploy/Datapipeline">http://docs.splunk.com/Documentation/Splunk/6.2.0/Deploy/Datapipeline</A></P> <P>So given that SEDCMD cant be done prior to TIME_FORMAT, you have a few options that I see.</P> <OL> <LI>Rewrite the code that generates the source as was suggested</LI> <LI>Use a rex in your search <CODE>...| rex field=PERIOD "s/(20\d{4})/\101/g" | eval _time=strptime(PERIOD,"%Y%m%d") | ...</CODE> </LI> <LI>Use a rex in your search and take it to a summary index, then run searches on the summary index.</LI> <LI>More options exist but these are some of the better ones I can think of.</LI> </OL> Sun, 17 Jan 2016 12:47:42 GMT jkat54 2016-01-17T12:47:42Z https://community.splunk.com/t5/Getting-Data-In/YYYYMM-timestamp-can-Splunk-extract-time-using-strptime/m-p/234602#M45700 <P>My data format can be seen below (CSV). The date field ("PERIOD") is in %Y%m format.</P> <PRE><CODE>...,PERIOD ...,201512 </CODE></PRE> <P>Although the following props.conf does not work:</P> <PRE><CODE>[ csv ] CHARSET=UTF-8 INDEXED_EXTRACTIONS=csv KV_MODE=none SHOULD_LINEMERGE=false category=Structured TIME_FORMAT=%Y%m TIMESTAMP_FIELDS=PERIOD </CODE></PRE> <P>Any ideas what I'm doing wrong guys?</P> Fri, 15 Jan 2016 21:07:02 GMT https://community.splunk.com/t5/Getting-Data-In/YYYYMM-timestamp-can-Splunk-extract-time-using-strptime/m-p/234602#M45700 himynamesdave 2016-01-15T21:07:02Z https://community.splunk.com/t5/Getting-Data-In/YYYYMM-timestamp-can-Splunk-extract-time-using-strptime/m-p/234603#M45701 <P>The minimum time format should include the day and month (year can be optional). If you've control over how you log your data, add the day part as well (you can default it to 01 for first day of month). Once you've that, above setting (with updated TIME_FORMAT) should work fine.</P> Fri, 15 Jan 2016 22:15:47 GMT https://community.splunk.com/t5/Getting-Data-In/YYYYMM-timestamp-can-Splunk-extract-time-using-strptime/m-p/234603#M45701 somesoni2 2016-01-15T22:15:47Z https://community.splunk.com/t5/Getting-Data-In/YYYYMM-timestamp-can-Splunk-extract-time-using-strptime/m-p/234604#M45702 <P>Got it, thanks!</P> Sat, 16 Jan 2016 10:39:31 GMT https://community.splunk.com/t5/Getting-Data-In/YYYYMM-timestamp-can-Splunk-extract-time-using-strptime/m-p/234604#M45702 himynamesdave 2016-01-16T10:39:31Z https://community.splunk.com/t5/Getting-Data-In/YYYYMM-timestamp-can-Splunk-extract-time-using-strptime/m-p/234605#M45703 <P>Try adding this sedcmd before the time_format:</P> <PRE><CODE>sedcmd-AddDayToDate = "s/(20\d{4})/\101/g" </CODE></PRE> <P>What this will do is match <CODE>20</CODE> followed by 4 digits (ex <CODE>201601</CODE>, <CODE>209912</CODE>, etc.), and when it finds this match it will replace it with whatever the original 6 digits were, plus it will add 01 for the first day of the month.</P> <P>So in the end, the field should have a correct date value. You may wish to change it to \130 to always have it show on the 30th day instead, etc.</P> <P>The uncertainty that comes for me is that I'm not sure if sedcmd will work prior to time_prefix or not. So please give this a try and let me know.</P> Sat, 16 Jan 2016 12:36:19 GMT https://community.splunk.com/t5/Getting-Data-In/YYYYMM-timestamp-can-Splunk-extract-time-using-strptime/m-p/234605#M45703 jkat54 2016-01-16T12:36:19Z https://community.splunk.com/t5/Getting-Data-In/YYYYMM-timestamp-can-Splunk-extract-time-using-strptime/m-p/234606#M45704 <P>Thanks! However, it would appear timestamp processing happens before any sedcmd's thus ruling this approach out.</P> Sun, 17 Jan 2016 08:59:12 GMT https://community.splunk.com/t5/Getting-Data-In/YYYYMM-timestamp-can-Splunk-extract-time-using-strptime/m-p/234606#M45704 himynamesdave 2016-01-17T08:59:12Z https://community.splunk.com/t5/Getting-Data-In/YYYYMM-timestamp-can-Splunk-extract-time-using-strptime/m-p/234607#M45705 <P>Yeah sorry i was on my mobile so I didnt have a chance to look it up.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/Deploy/Datapipeline">http://docs.splunk.com/Documentation/Splunk/6.2.0/Deploy/Datapipeline</A></P> <P>So given that SEDCMD cant be done prior to TIME_FORMAT, you have a few options that I see.</P> <OL> <LI>Rewrite the code that generates the source as was suggested</LI> <LI>Use a rex in your search <CODE>...| rex field=PERIOD "s/(20\d{4})/\101/g" | eval _time=strptime(PERIOD,"%Y%m%d") | ...</CODE> </LI> <LI>Use a rex in your search and take it to a summary index, then run searches on the summary index.</LI> <LI>More options exist but these are some of the better ones I can think of.</LI> </OL> Sun, 17 Jan 2016 12:47:42 GMT https://community.splunk.com/t5/Getting-Data-In/YYYYMM-timestamp-can-Splunk-extract-time-using-strptime/m-p/234607#M45705 jkat54 2016-01-17T12:47:42Z https://community.splunk.com/t5/Getting-Data-In/YYYYMM-timestamp-can-Splunk-extract-time-using-strptime/m-p/234608#M45706 <P>You may have to urlencode that rex because the '{}' characters.</P> <P>here it is encoded <CODE>... | rex field=PERIOD "s/(20\d%7B4%7D)/\101/g"</CODE></P> Sun, 17 Jan 2016 12:51:15 GMT https://community.splunk.com/t5/Getting-Data-In/YYYYMM-timestamp-can-Splunk-extract-time-using-strptime/m-p/234608#M45706 jkat54 2016-01-17T12:51:15Z https://community.splunk.com/t5/Getting-Data-In/YYYYMM-timestamp-can-Splunk-extract-time-using-strptime/m-p/234609#M45707 <P>try with <CODE>TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%N</CODE> instead <CODE>TIME_FORMAT=%Y%m</CODE> in your props.conf</P> Thu, 21 Jan 2016 08:59:04 GMT https://community.splunk.com/t5/Getting-Data-In/YYYYMM-timestamp-can-Splunk-extract-time-using-strptime/m-p/234609#M45707 fdi01 2016-01-21T08:59:04Z