https://community.splunk.com/t5/Getting-Data-In/Defining-time-column-in-csv-uploaded/m-p/443919#M77291 <P>Good afternoon.</P> <P>This question might be already answered. But so far I searched I had no luck in understanding how to fix my issue. I worked before coding search syntax with Splunk but never before doing admin stuff inside Splunk.</P> <P>I have a csv file with some columns and one of them is "Date" field which I want to use to sort the values in my other columns example:</P> <P><STRONG>date Total Ransom<BR /> 01/07/2017 0<BR /> 01/08/2017 160<BR /> 01/09/2017 191<BR /> 01/10/2017 257<BR /> 01/11/2017 147<BR /> 01/12/2017 194<BR /> 01/01/2018 77<BR /> 01/02/2018 187<BR /> 01/03/2018 364<BR /> 01/04/2018 274<BR /> 01/05/2018 85</STRONG></P> <P>I would need to make a count with <STRONG>"Total Ransom"</STRONG> sorted by <STRONG>"Date"</STRONG> is pretty easy, but I cant define Date as _time.</P> <P>¿How would I be able to do this? I read something about modifying the file <STRONG>datetime.xml</STRONG> , but I want to be sure before I modify a system file.</P> <P>Thanks for your time in advance!</P> Fri, 13 Jul 2018 13:55:42 GMT kiraitachi 2018-07-13T13:55:42Z https://community.splunk.com/t5/Getting-Data-In/Defining-time-column-in-csv-uploaded/m-p/443919#M77291 <P>Good afternoon.</P> <P>This question might be already answered. But so far I searched I had no luck in understanding how to fix my issue. I worked before coding search syntax with Splunk but never before doing admin stuff inside Splunk.</P> <P>I have a csv file with some columns and one of them is "Date" field which I want to use to sort the values in my other columns example:</P> <P><STRONG>date Total Ransom<BR /> 01/07/2017 0<BR /> 01/08/2017 160<BR /> 01/09/2017 191<BR /> 01/10/2017 257<BR /> 01/11/2017 147<BR /> 01/12/2017 194<BR /> 01/01/2018 77<BR /> 01/02/2018 187<BR /> 01/03/2018 364<BR /> 01/04/2018 274<BR /> 01/05/2018 85</STRONG></P> <P>I would need to make a count with <STRONG>"Total Ransom"</STRONG> sorted by <STRONG>"Date"</STRONG> is pretty easy, but I cant define Date as _time.</P> <P>¿How would I be able to do this? I read something about modifying the file <STRONG>datetime.xml</STRONG> , but I want to be sure before I modify a system file.</P> <P>Thanks for your time in advance!</P> Fri, 13 Jul 2018 13:55:42 GMT https://community.splunk.com/t5/Getting-Data-In/Defining-time-column-in-csv-uploaded/m-p/443919#M77291 kiraitachi 2018-07-13T13:55:42Z https://community.splunk.com/t5/Getting-Data-In/Defining-time-column-in-csv-uploaded/m-p/443920#M77292 <P>Try this<BR /> <PRE> | inputlookup my_lookup.csv | eval New_Date = strptime(Date, "%d/%m/%Y")| sort New_Date | fields - New_Date </PRE></P> Tue, 29 Sep 2020 20:26:36 GMT https://community.splunk.com/t5/Getting-Data-In/Defining-time-column-in-csv-uploaded/m-p/443920#M77292 pradeepkumarg 2020-09-29T20:26:36Z https://community.splunk.com/t5/Getting-Data-In/Defining-time-column-in-csv-uploaded/m-p/443921#M77293 <P>Use <CODE>INDEXED_EXTRACTIONS</CODE> as documented here:</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf</A></P> Sun, 15 Jul 2018 16:57:01 GMT https://community.splunk.com/t5/Getting-Data-In/Defining-time-column-in-csv-uploaded/m-p/443921#M77293 woodcock 2018-07-15T16:57:01Z https://community.splunk.com/t5/Getting-Data-In/Defining-time-column-in-csv-uploaded/m-p/443922#M77294 <P>So answering to myself. I tried above answers but where not quite what I was looking for.</P> <P>Although I found how to do it following <A href="http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Configuretimestamprecognition">http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Configuretimestamprecognition</A> </P> <P>As simple as to follow properly the formas supported:</P> <P>strptime() format expression examples<BR /> Here are some sample date formats, with the strptime() expressions that handle them:</P> <P>1998-12-31 %Y-%m-%d<BR /> 98-12-31 %y-%m-%d<BR /> 1998 years, 312 days %Y years, %j days<BR /> Jan 24, 2003 %b %d, %Y<BR /> January 24, 2003 %B %d, %Y<BR /> 1397477611.862 %s.%3N</P> <P>So when specifying timefield input, go to custom and specify the field that has the "date" and its format.</P> <P>Thanks!</P> Mon, 16 Jul 2018 13:17:16 GMT https://community.splunk.com/t5/Getting-Data-In/Defining-time-column-in-csv-uploaded/m-p/443922#M77294 kiraitachi 2018-07-16T13:17:16Z https://community.splunk.com/t5/Getting-Data-In/Defining-time-column-in-csv-uploaded/m-p/443923#M77295 <P>You should click <CODE>Accept</CODE> on your answer and <CODE>UpVote</CODE> any others that helped.</P> Mon, 16 Jul 2018 14:08:26 GMT https://community.splunk.com/t5/Getting-Data-In/Defining-time-column-in-csv-uploaded/m-p/443923#M77295 woodcock 2018-07-16T14:08:26Z