Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Defining time column in .csv uploaded
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good afternoon.
This question might be already answered. But so far I searched I had no luck in understanding how to fix my issue. I worked before coding search syntax with Splunk but never before doing admin stuff inside Splunk.
I have a csv file with some columns and one of them is "Date" field which I want to use to sort the values in my other columns example:
date Total Ransom
01/07/2017 0
01/08/2017 160
01/09/2017 191
01/10/2017 257
01/11/2017 147
01/12/2017 194
01/01/2018 77
01/02/2018 187
01/03/2018 364
01/04/2018 274
01/05/2018 85
I would need to make a count with "Total Ransom" sorted by "Date" is pretty easy, but I cant define Date as _time.
¿How would I be able to do this? I read something about modifying the file datetime.xml , but I want to be sure before I modify a system file.
Thanks for your time in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So answering to myself. I tried above answers but where not quite what I was looking for.
Although I found how to do it following http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Configuretimestamprecognition
As simple as to follow properly the formas supported:
strptime() format expression examples
Here are some sample date formats, with the strptime() expressions that handle them:
1998-12-31 %Y-%m-%d
98-12-31 %y-%m-%d
1998 years, 312 days %Y years, %j days
Jan 24, 2003 %b %d, %Y
January 24, 2003 %B %d, %Y
1397477611.862 %s.%3N
So when specifying timefield input, go to custom and specify the field that has the "date" and its format.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So answering to myself. I tried above answers but where not quite what I was looking for.
Although I found how to do it following http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Configuretimestamprecognition
As simple as to follow properly the formas supported:
strptime() format expression examples
Here are some sample date formats, with the strptime() expressions that handle them:
1998-12-31 %Y-%m-%d
98-12-31 %y-%m-%d
1998 years, 312 days %Y years, %j days
Jan 24, 2003 %b %d, %Y
January 24, 2003 %B %d, %Y
1397477611.862 %s.%3N
So when specifying timefield input, go to custom and specify the field that has the "date" and its format.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should click Accept on your answer and UpVote any others that helped.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use INDEXED_EXTRACTIONS as documented here:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
| inputlookup my_lookup.csv | eval New_Date = strptime(Date, "%d/%m/%Y")| sort New_Date | fields - New_Date
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
