https://community.splunk.com/t5/Getting-Data-In/Why-are-events-indexing-with-the-wrong-time-stamp/m-p/501012#M85349 <P>Thank you for your help, changing the TIME_PREFIX = ^\" solved the problem.</P> <P>Best regards!</P> Mon, 14 Oct 2019 17:17:43 GMT acceo_purch 2019-10-14T17:17:43Z https://community.splunk.com/t5/Getting-Data-In/Why-are-events-indexing-with-the-wrong-time-stamp/m-p/501009#M85346 <P>Hi,</P> <P>A csv file has the format dd-mm-year hh:mm. Splunk swap the day and month for the events for the first 9 days of a month. <BR /> For example an event with a date 09-10-2019 05:05 (9 October 2019) is indexed as 10/9/19 (10 September 2019). <BR /> But an event with a date 11-10-2019 05:05 (11 October 2019) is right indexed as 10/11/19 (11 October 2019)</P> <P>Here is an example of a csv file for the 10 September 2019:<BR /> <STRONG>"10-09-2019 05:05","PG","PER","2","2"<BR /> "10-09-2019 05:05","DG","USA","1","3"</STRONG></P> <P>It's indexed in the month of October the 9th 2019 instead of September 10th 2019: <BR /> <STRONG>TIME (M/D/Y) | EVENT (D/M/Y)<BR /> 10/9/19 | 10-09-2019 05:05,PG,PER,2,2 <BR /> 5:30:00:000 AM<BR /> 10/9/19 | 10-09-2019 05:05,DG,USA,1,3 <BR /> 5:30:00:000 AM</STRONG></P> <P>props.conf :</P> <PRE><CODE>[csv_inv] SEDCMD-removeDoubleQuotes= s/\"//g DATETIME_CONFIG = INDEXED_EXTRACTIONS = csv NO_BINARY_CHECK = true category = Structured pulldown_type = 1 TIME_PREFIX = ^ TIME_FORMAT = %d-%m-%Y %H:%M </CODE></PRE> <P>Can anyone help me with this? <BR /> Thanks.</P> Fri, 11 Oct 2019 18:50:57 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-events-indexing-with-the-wrong-time-stamp/m-p/501009#M85346 acceo_purch 2019-10-11T18:50:57Z https://community.splunk.com/t5/Getting-Data-In/Why-are-events-indexing-with-the-wrong-time-stamp/m-p/501010#M85347 <P>If the CSV file really has quotation marks around each field then the time prefix is incorrect.</P> <P><CODE>TIME_PREFIX = ^"</CODE></P> Fri, 11 Oct 2019 20:43:07 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-events-indexing-with-the-wrong-time-stamp/m-p/501010#M85347 richgalloway 2019-10-11T20:43:07Z https://community.splunk.com/t5/Getting-Data-In/Why-are-events-indexing-with-the-wrong-time-stamp/m-p/501011#M85348 <P>Hi acceo_purch,<BR /> as suggested by <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>, at first, use the correct <CODE>TIME_PREFIX = ^\"</CODE></P> <P>Then, where is this props.conf?<BR /> Usually it must be on Indexers, but when you ingest csv files it must be also on Universal Forwarders</P> <P>Ciao.<BR /> Giuseppe</P> Wed, 30 Sep 2020 02:31:55 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-events-indexing-with-the-wrong-time-stamp/m-p/501011#M85348 gcusello 2020-09-30T02:31:55Z https://community.splunk.com/t5/Getting-Data-In/Why-are-events-indexing-with-the-wrong-time-stamp/m-p/501012#M85349 <P>Thank you for your help, changing the TIME_PREFIX = ^\" solved the problem.</P> <P>Best regards!</P> Mon, 14 Oct 2019 17:17:43 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-events-indexing-with-the-wrong-time-stamp/m-p/501012#M85349 acceo_purch 2019-10-14T17:17:43Z https://community.splunk.com/t5/Getting-Data-In/Why-are-events-indexing-with-the-wrong-time-stamp/m-p/501013#M85350 <P>Thanks Giuseppe, adding the right TIME_PREFIX = ^\" solved the problem.</P> <P>Best regards!</P> Mon, 14 Oct 2019 17:19:18 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-events-indexing-with-the-wrong-time-stamp/m-p/501013#M85350 acceo_purch 2019-10-14T17:19:18Z