Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Can you help me with my CSV timestamp issue?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help me with my CSV timestamp issue?
At the forwarder, there are CSV files getting loaded on a path for every 1 hour, which gets the last 1 hour of data. I am getting indexed time as wrong. I need to have the correct timestamp as the event has. This is happening for this index only ?
I just want to know what is the props.conf that I need to declare to have the same timestamp as that of the event. Indexed time is 1 hour before the event time. All the servers are in CST Time. Below are two events.
index=ssd
souretype=ssd_bmc
10/29/18 11:23:34.000 AM *****,,2010-04-01,***,10/29/2018 10:23:34 AM,10/29/2018 10:24:21 AM,*****,10/29/2018 10:24:21 AM,,sip:******@******,sip:****@****,,-0.00180,ssd,sop,,
10/29/18 11:13:34.000 AM*****,,2010-04-01,***,10/29/2018 10:13:34 AM,10/29/2018 10:14:21 AM,*****,10/29/2018 10:14:21 AM,,sip:******@******,sip:****@****,,-0.00130,ssd,sop,,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@arunsoni try this
apps/local/props.conf
[ssd_bmc]
INDEXED_EXTRACTIONS = CSV
SHOULD_LINEMERGE = false
if required add few more settings to the props.conf as per your data. Since this is structured data file, the props.conf can be on the forwarder where you're monitoring the file. Don't forget to restart splunkd on the forwarder once you deploy props.conf. For more information please check below link.
http://docs.splunk.com/Documentation/Splunk/6.6.4/Data/Extractfieldsfromfileswithstructureddata
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10/29/18 11:23:34.000 AM **,,2010-04-01,,10/29/2018 10:23:34 AM,10/29/2018 10:24:21 AM,**,10/29/2018 10:24:21 AM,,sip:@,sip:@***,,-0.00180,ssd,sop,,
As per the above event I need to have the time as the event time but it is showing as 1 hour before i.e.. 11:23:34.000 AM as indexed time and 10/29/2018 10:23:34 AM as event time. So both should be same time i.e.. event time. How can I fix it. Please help on it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@arunsoni could you share a sample of your csv?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
