Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Failed to parse timestamp in psv file

the_sigma
Explorer
‎07-11-2024 04:29 PM

I have the following pipe separated value file that I am having problems onboarding.  The first row is the column headers. Second row is sample data.  I'm getting an error when attempting to use the CREA_TS column as the timestamps

CREA_TS|ACTION|PRSN_ADDR_AUDT_ID|PRSN_ADDR_ID|PRSN_ID|SRC_ID
07102024070808|INSERT|165713232|147994550|101394986|OLASFL

 

This is what I have for props but I cannot get it to identify the timestamp.   Any help will be greatly appreciated.

[ psv ]
CHARSET=UTF-8
FIELD_DELIMITER=|
HEADER_FIELD_DELIMITER=|
INDEXED_EXTRACTIONS=psv
KV_MODE=none
SHOULD_LINEMERGE=false
category=Structured
description=Pipe-separated value format. Set header and other settings in "Delimited Settings"
disabled=false
pulldown_type=true
LINE_BREAKER=([\r\n]+)
TIMESTAMP_FIELDS=CREA_TS
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=14
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-12-2024 02:25 AM

I think the time format is more likely to be

TIME_FORMAT=%m%d%Y%H%M%S

View solution in original post

Reply
Solved! Jump to solution

manjunathmeti
Champion
‎07-12-2024 02:06 AM

Hi @the_sigma,

Try these configs:

[ psv ]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=PSV
SHOULD_LINEMERGE=false
category=Structured
description=Pipe-separated value format.
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=14
TIME_FORMAT=%d%m%Y%H%M%S

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-12-2024 02:25 AM

I think the time format is more likely to be

TIME_FORMAT=%m%d%Y%H%M%S
Reply
Solved! Jump to solution

the_sigma
Explorer
‎07-12-2024 12:36 PM

It ended up being the time format was wrong.  I had the month and day swapped.  Thanks all for chiming in.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-11-2024 11:46 PM

Hi @the_sigma,

the props.conf seems to be ok, what's the issue you have?

the only thing is that I don't see the TIME_FORMAT field.

try saving a copy of your data in a text file and adding it using the Add data function: in this way you can test your extraction and eventual updates.

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...