Getting Data In

Alternate timestamp for CSV files or forwarded data


Does anyone know how we can use the timestamp of the file from the operating system as the timestamp for events? For example if I have 1000 line csv files that were created on Windows at 1:50 PM and then another file at 4:00 PM and another file at 7:00 PM how can I tell splunk to use that timestamp for the events rather than searching the CSV file trying to find a timestamp? Because there may be multiple fields that have a timestamp but I just need to develop my searches to know when the file was created.

Tags (3)
0 Karma


what dwaddle says will totally work, but this is a simpler method:

just turn off the timestamping and Splunk will just use the modtime of the file.

Path Finder


Splunk has a series of rules it goes through in determining how to timestamp an event from any source.

Splunk doc link to how timestamps are auto-recognized:

It sounds like option #5 in that doc is where you are trying to go:

  1. For file sources, if no time or date can be identified in the file name, use the modification time on the file.

I don't see a way of explicitly forcing Splunk to go to that option, but you may be able to influence it into thinking there is NO valid timestamp within the file. Maybe with something like this (props.conf):

TIME_PREFIX=^this should not ever happen$

This takes advantage of the TIME_PREFIX rule of "If the TIME_PREFIX cannot be found in the event text, timestamp extraction does not take place." Obviously, your input file can't have a line in it that says only "this should not ever happen"

One option that is easily settable is using the "current time" always. This is the time Splunk indexes the event, not necessarily the time of the file. See related question/answer at:


Yeah, just use what piebob's said, way more clear.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!