Solved: CSV file import, problem with date format

tompadora · ‎11-27-2017

I have been trying to onboard at custom dataset into splunk as a csv file.
But the dateformat doesnt get right.

199703260005,1997,3,26,,0,,160,Philippines,5,Southeast

First is the year 4 digits , then month 2 digits and date 2 digits and a prefix
Any suggestions?
Thanks in advance
/Thomas

MuS · ‎11-27-2017

Hi tompadora,

if the time the first combination of 199703260005 then add the following line to your props.conf:

[cvsSourceTypeNameHere]
TIME_FORMAT = %Y%m%d

if it is the second one ,1997,3,26 then add this to your props.conf:

[cvsSourceTypeNameHere]
TIME_PREFIX = \d{12},
TIME_FORMAT = %Y,%m,%d

Hope this helps ...

cheers, MuS

View solution in original post

woodcock · ‎11-27-2017

You will almost certainly have to adjust some other limit settings in order for your events to be indexed, namely MAX_DAYS_AGO, otherwise you will see the events skipped with a log like "YourOldTimeHere is outside of the acceptable time window".

MuS · ‎11-27-2017

Hi tompadora,

if the time the first combination of 199703260005 then add the following line to your props.conf:

[cvsSourceTypeNameHere]
TIME_FORMAT = %Y%m%d

if it is the second one ,1997,3,26 then add this to your props.conf:

[cvsSourceTypeNameHere]
TIME_PREFIX = \d{12},
TIME_FORMAT = %Y,%m,%d

Hope this helps ...

cheers, MuS

CSV file import, problem with date format

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

CSV file import, problem with date format

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases