Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

CSV Timestamp issue

drangzt
New Member
‎08-18-2013 07:17 PM

I am struggling to get splunk to parse the timestamps properly in a CSV file (Firefox Web History log exported to CSV). I tried the default CSV type, and all I get is the CSV file's modtime listed as the timestamps. Here are the first few lines of the CSV (redacted):

4/3/07 0:36, some url,html,????

4/3/07 0:35,some url, html,?????

4/3/07 0:34,some url,html, ????

Here is what I have added to my props.conf file:

TIME_FORMAT = %M/%D/%Y %H:%M

SHOULD_LINEMERGE = false

MAX_TIMESTAMP_LOOKAHEAD = 19

Same error. Any advice appreciated as I am new to splunk and still figuring it out.

Tags (2)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-19-2013 12:11 AM

You should probably try a different set of strptime/strftime variables. Currently you define your TIME_FORMAT as

minute/full date/year hour:minute

I'd try to change this into

TIME_FORMAT = %D %H:%M

%D = m/d/y

for more info, see; http://www.strftime.net

/K

0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-19-2013 06:20 AM

Good point. Though I seem to remember that Splunk can handle optional leading zeroes. But to be more exact, try;

TIME_FORMAT = %m/%e/%y %k:%M

There is (afaik) no 1-12 format for months, %m requires 01-12. Also, if your hours are 1-12 use %l (lower-case L) instead of %k (which is 0-23).

http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Commontimeformatvariables

0 Karma
Reply

Ayn
Legend
‎08-19-2013 05:00 AM

There's also the issue with that %H assumes a two-digit value, so the hour "0" would not be understood (it expects "00"). %k is the equivalent without leading zero. Same goes for the day of the month (%e is without leading zero), etc.

Reply

drangzt
New Member
‎08-19-2013 04:53 AM

Tried your suggestion and same problem. Note: I did make sure that the source file was re-indexed.

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...