https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-issue/m-p/38236#M7024 <P>You should probably try a different set of strptime/strftime variables. Currently you define your <CODE>TIME_FORMAT</CODE> as </P> <P>minute/full date/year hour:minute</P> <P>I'd try to change this into</P> <P><CODE>TIME_FORMAT = %D %H:%M</CODE></P> <P>%D = m/d/y</P> <P>for more info, see; <A href="http://www.strftime.net">http://www.strftime.net</A></P> <P>/K</P> Mon, 19 Aug 2013 07:11:54 GMT kristian_kolb 2013-08-19T07:11:54Z https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-issue/m-p/38235#M7023 <P>I am struggling to get splunk to parse the timestamps properly in a CSV file (Firefox Web History log exported to CSV). I tried the default CSV type, and all I get is the CSV file's modtime listed as the timestamps. Here are the first few lines of the CSV (redacted):</P> <P>4/3/07 0:36, some url,html,????</P> <P>4/3/07 0:35,some url, html,?????</P> <P>4/3/07 0:34,some url,html, ????</P> <P>Here is what I have added to my props.conf file:</P> <P>TIME_FORMAT = %M/%D/%Y %H:%M</P> <P>SHOULD_LINEMERGE = false</P> <P>MAX_TIMESTAMP_LOOKAHEAD = 19 </P> <P>Same error. Any advice appreciated as I am new to splunk and still figuring it out.</P> Mon, 28 Sep 2020 14:35:53 GMT https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-issue/m-p/38235#M7023 drangzt 2020-09-28T14:35:53Z https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-issue/m-p/38236#M7024 <P>You should probably try a different set of strptime/strftime variables. Currently you define your <CODE>TIME_FORMAT</CODE> as </P> <P>minute/full date/year hour:minute</P> <P>I'd try to change this into</P> <P><CODE>TIME_FORMAT = %D %H:%M</CODE></P> <P>%D = m/d/y</P> <P>for more info, see; <A href="http://www.strftime.net">http://www.strftime.net</A></P> <P>/K</P> Mon, 19 Aug 2013 07:11:54 GMT https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-issue/m-p/38236#M7024 kristian_kolb 2013-08-19T07:11:54Z https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-issue/m-p/38237#M7025 <P>Tried your suggestion and same problem. Note: I did make sure that the source file was re-indexed.</P> Mon, 19 Aug 2013 11:53:03 GMT https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-issue/m-p/38237#M7025 drangzt 2013-08-19T11:53:03Z https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-issue/m-p/38238#M7026 <P>There's also the issue with that %H assumes a two-digit value, so the hour "0" would not be understood (it expects "00"). %k is the equivalent without leading zero. Same goes for the day of the month (%e is without leading zero), etc.</P> Mon, 19 Aug 2013 12:00:56 GMT https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-issue/m-p/38238#M7026 Ayn 2013-08-19T12:00:56Z https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-issue/m-p/38239#M7027 <P>Good point. Though I seem to remember that Splunk can handle optional leading zeroes. But to be more exact, try;</P> <P>TIME_FORMAT = %m/%e/%y %k:%M</P> <P>There is (afaik) no 1-12 format for months, %m requires 01-12. Also, if your hours are 1-12 use %l (lower-case L) instead of %k (which is 0-23). </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Commontimeformatvariables">http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Commontimeformatvariables</A></P> Mon, 19 Aug 2013 13:20:35 GMT https://community.splunk.com/t5/Getting-Data-In/CSV-Timestamp-issue/m-p/38239#M7027 kristian_kolb 2013-08-19T13:20:35Z