Solved: CSV file import, problem with date format

tompadora · ‎11-27-2017

I have been trying to onboard at custom dataset into splunk as a csv file.
But the dateformat doesnt get right.

199703260005,1997,3,26,,0,,160,Philippines,5,Southeast

First is the year 4 digits , then month 2 digits and date 2 digits and a prefix
Any suggestions?
Thanks in advance
/Thomas

MuS · ‎11-27-2017

Hi tompadora,

if the time the first combination of 199703260005 then add the following line to your props.conf:

[cvsSourceTypeNameHere]
TIME_FORMAT = %Y%m%d

if it is the second one ,1997,3,26 then add this to your props.conf:

[cvsSourceTypeNameHere]
TIME_PREFIX = \d{12},
TIME_FORMAT = %Y,%m,%d

Hope this helps ...

cheers, MuS

View solution in original post

woodcock · ‎11-27-2017

You will almost certainly have to adjust some other limit settings in order for your events to be indexed, namely MAX_DAYS_AGO, otherwise you will see the events skipped with a log like "YourOldTimeHere is outside of the acceptable time window".

MuS · ‎11-27-2017

Hi tompadora,

if the time the first combination of 199703260005 then add the following line to your props.conf:

[cvsSourceTypeNameHere]
TIME_FORMAT = %Y%m%d

if it is the second one ,1997,3,26 then add this to your props.conf:

[cvsSourceTypeNameHere]
TIME_PREFIX = \d{12},
TIME_FORMAT = %Y,%m,%d

Hope this helps ...

cheers, MuS

CSV file import, problem with date format

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

CSV file import, problem with date format

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25