Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- CSV Timestamp issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CSV Timestamp issue
I am struggling to get splunk to parse the timestamps properly in a CSV file (Firefox Web History log exported to CSV). I tried the default CSV type, and all I get is the CSV file's modtime listed as the timestamps. Here are the first few lines of the CSV (redacted):
4/3/07 0:36, some url,html,????
4/3/07 0:35,some url, html,?????
4/3/07 0:34,some url,html, ????
Here is what I have added to my props.conf file:
TIME_FORMAT = %M/%D/%Y %H:%M
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 19
Same error. Any advice appreciated as I am new to splunk and still figuring it out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should probably try a different set of strptime/strftime variables. Currently you define your TIME_FORMAT as
minute/full date/year hour:minute
I'd try to change this into
TIME_FORMAT = %D %H:%M
%D = m/d/y
for more info, see; http://www.strftime.net
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good point. Though I seem to remember that Splunk can handle optional leading zeroes. But to be more exact, try;
TIME_FORMAT = %m/%e/%y %k:%M
There is (afaik) no 1-12 format for months, %m requires 01-12. Also, if your hours are 1-12 use %l (lower-case L) instead of %k (which is 0-23).
http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Commontimeformatvariables
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There's also the issue with that %H assumes a two-digit value, so the hour "0" would not be understood (it expects "00"). %k is the equivalent without leading zero. Same goes for the day of the month (%e is without leading zero), etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried your suggestion and same problem. Note: I did make sure that the source file was re-indexed.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
