https://community.splunk.com/t5/Getting-Data-In/source-type-issues/m-p/28933#M4977 <P>I generally would advise not to use <CODE>CHECK_FOR_HEADER</CODE>. As far as the time stamp issue, that's tricky to debug, but my guess is Splunk is for whatever reason not reading your Julian days and getting the date from the last-mod time on the files.</P> Wed, 18 Apr 2012 00:53:05 GMT gkanapathy 2012-04-18T00:53:05Z https://community.splunk.com/t5/Getting-Data-In/source-type-issues/m-p/28932#M4976 <P>Hello All,</P> <P>we have started working with splunk to deal with a pile of date. for that we have created a custom source type and put it in the props.conf file. it looks like this:</P> <P>[mk_csv]</P> <P>CHECK_FOR_HEADER = true</P> <P>KV_MODE = none</P> <P>NO_BINARY_CHECK = 1</P> <P>SHOULD_LINEMERGE = False</P> <P>TIME_FORMAT = %Y-%jT%H:%M:%S.%3N</P> <P>pulldown_type = 1</P> <P>TZ = UTC</P> <P>that is in ./splunk/etc/system/local/props.conf and yes we restarted the server </P> <P>So far so good. we added the source type to the data inputs. we built a new index mk_mission.</P> <P>Now from the search window if I run a sourcetype="mk_csv" nothing shows up. however I do find that there is now a mk_csv-3 with 37 events in it, it even correctly displays the julian dates (the %j in the time_format)</P> <P>last problem. I configured the data inputs to use julian time as seen above however everything indexed is showing up with the wrong dates, always a bit early<BR /><BR /> examples:</P> <P>search index for sourcetype="mk_csv-3"</P> <P>record returned:</P> <P>4/13/12 6:32:52.138 PM with the time stamp from the entry as: 2012-104T18:32:52.138</P> <P>that looks like the sourcetype in the props.conf is working correctly</P> <P>search for:</P> <P>index="mk_mission_gra_eng"</P> <P>get:</P> <P>4/6/12 9:11:09.467 PM from 2012-088T21:11:09.467</P> <P>4/6/12 5:42:38.170 PM from 2012-081T17:42:38.170</P> <P>4/6/12 4:05:10.097 PM from 2012-102T16:05:10.097</P> <P>4/5/12 11:17:30.163 PM from 2012-101T23:17:30.163</P> <P>as near as I can tell this is not what I would expect since we set the source type as the data input level.</P> Mon, 28 Sep 2020 11:41:22 GMT https://community.splunk.com/t5/Getting-Data-In/source-type-issues/m-p/28932#M4976 cnhn 2020-09-28T11:41:22Z https://community.splunk.com/t5/Getting-Data-In/source-type-issues/m-p/28933#M4977 <P>I generally would advise not to use <CODE>CHECK_FOR_HEADER</CODE>. As far as the time stamp issue, that's tricky to debug, but my guess is Splunk is for whatever reason not reading your Julian days and getting the date from the last-mod time on the files.</P> Wed, 18 Apr 2012 00:53:05 GMT https://community.splunk.com/t5/Getting-Data-In/source-type-issues/m-p/28933#M4977 gkanapathy 2012-04-18T00:53:05Z https://community.splunk.com/t5/Getting-Data-In/source-type-issues/m-p/28934#M4978 <P>how do you eliminate the static column headers from the csv files without CHECK_FOR_HEADERS?</P> Mon, 28 Sep 2020 11:41:32 GMT https://community.splunk.com/t5/Getting-Data-In/source-type-issues/m-p/28934#M4978 cnhn 2020-09-28T11:41:32Z