Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alternate timestamp for CSV files or forwarded data

ngcgoon
Explorer
‎03-07-2011 12:14 AM

Does anyone know how we can use the timestamp of the file from the operating system as the timestamp for events? For example if I have 1000 line csv files that were created on Windows at 1:50 PM and then another file at 4:00 PM and another file at 7:00 PM how can I tell splunk to use that timestamp for the events rather than searching the CSV file trying to find a timestamp? Because there may be multiple fields that have a timestamp but I just need to develop my searches to know when the file was created.

Tags (3)
0 Karma
Reply

piebob
Splunk Employee
Splunk Employee
‎03-07-2011 07:36 PM

what dwaddle says will totally work, but this is a simpler method:

http://www.splunk.com/base/Documentation/latest/Admin/Tunetimestampextractionforbetterindexingperfor...

just turn off the timestamping and Splunk will just use the modtime of the file.

Reply

dwaddle
SplunkTrust
SplunkTrust
‎03-07-2011 07:27 PM

Splunk has a series of rules it goes through in determining how to timestamp an event from any source.

Splunk doc link to how timestamps are auto-recognized:

http://www.splunk.com/base/Documentation/latest/Admin/Configuretimestamprecognition

It sounds like option #5 in that doc is where you are trying to go:

  1. For file sources, if no time or date can be identified in the file name, use the modification time on the file.

I don't see a way of explicitly forcing Splunk to go to that option, but you may be able to influence it into thinking there is NO valid timestamp within the file. Maybe with something like this (props.conf):

[mysourcetype]
TIME_PREFIX=^this should not ever happen$

This takes advantage of the TIME_PREFIX rule of "If the TIME_PREFIX cannot be found in the event text, timestamp extraction does not take place." Obviously, your input file can't have a line in it that says only "this should not ever happen"

One option that is easily settable is using the "current time" always. This is the time Splunk indexes the event, not necessarily the time of the file. See related question/answer at:

http://answers.splunk.com/questions/12104/using-index-time-as-time-stamp/12106#12106

Reply

dwaddle
SplunkTrust
SplunkTrust
‎03-07-2011 07:37 PM

Yeah, just use what piebob's said, way more clear.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...