Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me with my CSV timestamp issue?

arunsoni
Explorer
‎10-29-2018 08:33 AM

At the forwarder, there are CSV files getting loaded on a path for every 1 hour, which gets the last 1 hour of data. I am getting indexed time as wrong. I need to have the correct timestamp as the event has. This is happening for this index only ?

I just want to know what is the props.conf that I need to declare to have the same timestamp as that of the event. Indexed time is 1 hour before the event time. All the servers are in CST Time. Below are two events.

index=ssd
souretype=ssd_bmc

10/29/18 11:23:34.000 AM    *****,,2010-04-01,***,10/29/2018 10:23:34 AM,10/29/2018 10:24:21 AM,*****,10/29/2018 10:24:21 AM,,sip:******@******,sip:****@****,,-0.00180,ssd,sop,,
10/29/18 11:13:34.000 AM*****,,2010-04-01,***,10/29/2018 10:13:34 AM,10/29/2018 10:14:21 AM,*****,10/29/2018 10:14:21 AM,,sip:******@******,sip:****@****,,-0.00130,ssd,sop,,
Tags (1)
0 Karma
Reply

Rob2520
Communicator
‎10-29-2018 12:42 PM

@arunsoni try this

apps/local/props.conf
[ssd_bmc]
INDEXED_EXTRACTIONS = CSV
SHOULD_LINEMERGE = false

if required add few more settings to the props.conf as per your data. Since this is structured data file, the props.conf can be on the forwarder where you're monitoring the file. Don't forget to restart splunkd on the forwarder once you deploy props.conf. For more information please check below link.

http://docs.splunk.com/Documentation/Splunk/6.6.4/Data/Extractfieldsfromfileswithstructureddata

0 Karma
Reply

arunsoni
Explorer
‎10-29-2018 12:52 PM

10/29/18 11:23:34.000 AM **,,2010-04-01,,10/29/2018 10:23:34 AM,10/29/2018 10:24:21 AM,**,10/29/2018 10:24:21 AM,,sip:@,sip:@***,,-0.00180,ssd,sop,,

As per the above event I need to have the time as the event time but it is showing as 1 hour before i.e.. 11:23:34.000 AM as indexed time and 10/29/2018 10:23:34 AM as event time. So both should be same time i.e.. event time. How can I fix it. Please help on it.

0 Karma
Reply

Rob2520
Communicator
‎10-29-2018 07:22 PM

@arunsoni could you share a sample of your csv?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...