Getting Data In

Failed to parse timestamp in psv file

the_sigma
Explorer

I have the following pipe separated value file that I am having problems onboarding.  The first row is the column headers. Second row is sample data.  I'm getting an error when attempting to use the CREA_TS column as the timestamps

CREA_TS|ACTION|PRSN_ADDR_AUDT_ID|PRSN_ADDR_ID|PRSN_ID|SRC_ID
07102024070808|INSERT|165713232|147994550|101394986|OLASFL

 

This is what I have for props but I cannot get it to identify the timestamp.   Any help will be greatly appreciated.

[ psv ]
CHARSET=UTF-8
FIELD_DELIMITER=|
HEADER_FIELD_DELIMITER=|
INDEXED_EXTRACTIONS=psv
KV_MODE=none
SHOULD_LINEMERGE=false
category=Structured
description=Pipe-separated value format. Set header and other settings in "Delimited Settings"
disabled=false
pulldown_type=true
LINE_BREAKER=([\r\n]+)
TIMESTAMP_FIELDS=CREA_TS
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=14
Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

I think the time format is more likely to be

TIME_FORMAT=%m%d%Y%H%M%S

View solution in original post

manjunathmeti
Champion

Hi @the_sigma,

Try these configs:

[ psv ]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=PSV
SHOULD_LINEMERGE=false
category=Structured
description=Pipe-separated value format.
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=14
TIME_FORMAT=%d%m%Y%H%M%S

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I think the time format is more likely to be

TIME_FORMAT=%m%d%Y%H%M%S

the_sigma
Explorer

It ended up being the time format was wrong.  I had the month and day swapped.  Thanks all for chiming in.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @the_sigma,

the props.conf seems to be ok, what's the issue you have?

the only thing is that I don't see the TIME_FORMAT field.

try saving a copy of your data in a text file and adding it using the Add data function: in this way you can test your extraction and eventual updates.

Ciao.

Giuseppe

 

0 Karma
Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...