Getting Data In

Change timestamp and making it effective

davidjehoul
Explorer

Hi,
I'm trying to redefine the timestamp for my resource that contains data as follows:

DBInit-27,21/02/2013 9:28:26,22/02/2013 16:30:16,0,R_1812,0,Netscape3.0,0,0,3,172.21.0.132,172.21.0.132,ohm-web-7.9.0-SNAPSHOT (6f5d6 - 2013-02-26 13:58:14),20130301_110723,1/03/2013 11:12:38,1/03/2013 11:12:45,7,True,DAVIDJ-3500,x86,4

By default, the timestamp that is extracted is the first one that it encounters, being 21/02/2013 9:28:26 in this case. However, I want to make the timestamp to be 1/03/2013 11:12:38 (the one before the last timestamp). For this, I added the following in C:\Program Files\Splunk\etc\apps\search\default\props.conf:

[source::C:\\Temp\\testResultLog.csv]
TIME_PREFIX = \d{8}_\d{6},
TIME_FORMAT = %d/%m/%y %H:%M:%S

The regex matches 20130301_110723, expecting to define the timestamp as I desire, as is explained in the manual.
Unfortunately, this has no effect; I tried to stop and start splunk; did a source="C:\\Temp\\testResultLog.csv" | extract reload=T; all to no effect ..

Thanks!

Tags (1)
0 Karma

Ayn
Legend

Timestamp extraction takes place at index-time, and as such changes to this will not apply to data that has already been indexed. You need to reindex your data.

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...