https://community.splunk.com/t5/Getting-Data-In/Getting-time-stamps-correctly/m-p/39886#M7420 <P>I'm trying to get a csv file correctly indexed. I can't however seem to get the timestamp props.conf to work correctly.</P> <P>This is a line of sample data.</P> <P>A5,2012:04:30:03:48:24,AAAA,1,1,10000,0000,2012:04:30:03:48:24,0711111111,249,1800111111,07111110,,AAAA,0</P> <P>This is the resulting time stamp.</P> <P>Incorrect format : 11/12/2010 04:30:03.400<BR /> Correct format : 30/04/2012 03:48:24</P> <P>And these are my config's.</P> <PRE><CODE>Inputs.conf [monitor://C:\sampledata.20120430035907.Z] disabled = false followTail = 0 host = LOG_HOST index = MY_LOG sourcetype = LOG props.conf [LOG] BREAK_ONLY_BEFORE = ^A5,* NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = true TIME_FORMAT = %Y:%m:%d:%H:%M:%S TIME_PREFIX = A5, pulldown_type = 1 TRANSFORMS-log = log_extractions [log-extractions] DELIMS = "," FIELDS = "field1","field2" etc etc etc </CODE></PRE> <P>I used the timeprefix to try and get it to detect the first time entry.</P> <P>The field extraction works fine just not the initial time stamp detection.</P> Tue, 01 May 2012 04:14:29 GMT Lucas_K 2012-05-01T04:14:29Z https://community.splunk.com/t5/Getting-Data-In/Getting-time-stamps-correctly/m-p/39886#M7420 <P>I'm trying to get a csv file correctly indexed. I can't however seem to get the timestamp props.conf to work correctly.</P> <P>This is a line of sample data.</P> <P>A5,2012:04:30:03:48:24,AAAA,1,1,10000,0000,2012:04:30:03:48:24,0711111111,249,1800111111,07111110,,AAAA,0</P> <P>This is the resulting time stamp.</P> <P>Incorrect format : 11/12/2010 04:30:03.400<BR /> Correct format : 30/04/2012 03:48:24</P> <P>And these are my config's.</P> <PRE><CODE>Inputs.conf [monitor://C:\sampledata.20120430035907.Z] disabled = false followTail = 0 host = LOG_HOST index = MY_LOG sourcetype = LOG props.conf [LOG] BREAK_ONLY_BEFORE = ^A5,* NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = true TIME_FORMAT = %Y:%m:%d:%H:%M:%S TIME_PREFIX = A5, pulldown_type = 1 TRANSFORMS-log = log_extractions [log-extractions] DELIMS = "," FIELDS = "field1","field2" etc etc etc </CODE></PRE> <P>I used the timeprefix to try and get it to detect the first time entry.</P> <P>The field extraction works fine just not the initial time stamp detection.</P> Tue, 01 May 2012 04:14:29 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-time-stamps-correctly/m-p/39886#M7420 Lucas_K 2012-05-01T04:14:29Z https://community.splunk.com/t5/Getting-Data-In/Getting-time-stamps-correctly/m-p/39887#M7421 <P>solved it myself.</P> <P>Incorrect.<BR /> TIME_FORMAT = %Y:%m:%d:%H:%M:%S</P> <P>Correct.<BR /> TIME_FORMAT=%Y:%m:%d:%H:%M:%S</P> <P>It was literally looking for the white space in each of that statement.</P> Thu, 03 May 2012 01:22:32 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-time-stamps-correctly/m-p/39887#M7421 Lucas_K 2012-05-03T01:22:32Z