Can Thing be all sites or devices somehow? I've tried a few different 'things' and usually I end up with 1 data point for the time that the .csv was indexed, I can't determine why the value for that one point in time is what it is yet either.

I guess I'm unsure what the intention of 'Thing' is currently.

The visualization showed me one data point as well for the date of index(not any date(s) in the csv for the values). What I would hope to get is a graph trending those values as they go up or down over time in the CSV.

Thanks fo the help,

Nick

That's the point; whatever you decide to put into "Thing" is how the used-bytes are aggregated. If you'd like it ALL clumped together, then just remove BY Thing altogether.

You will only get one data point if your timepicker is set to less than a day (e.g. "Last Hour") so you need to make it something like "Last 7 days" to see more datapoints.

Can it use the dates in the spreadsheet or will it always use the date/time from the file(csv) it's indexed? I think that may be part of my issue as the dates in the spreadsheet go back 8 months(and will continue to go back further) whereas the dates that the file is written to and that splunk it stamping it with really means nothing to me.

I had assumed that you already set it up so that it was timestamping based on the first field in each event; is that not the case? How are the events being timestamped? Naturally, if you did nothing to tell Splunk what to do, it should have used the first field of each line for each event's timestamp; is it not doing this?

I must not - It shows the creation/index time as the timestamp and I'm seeing my date field in the event section. I think this must be key as nothing is acting right as you've suggested.

The events are timestamped with a day they were entered, the first entry in the csv is a date but it's just mm/dd/yyyy format. Just like the example above.

Yes, actually there is only 1 event per thing every 2-4 weeks. Yes exactly!

How exactly do I leverage that? using that syntax (TIME_FORMAT=%m/%d/%Y and TIME_PREFIX=^) in my search did not return anything. Sorry, you truly are dealing with a noob!

How did you setup your input? Did you use the GUI or CLI (inputs.conf)? Both methods allow you to set these things.

I used to GUI and added it as a Data Source(Folder Monitor).

Go to Settings -> Data inputs -> Files & directories -> `and find the place for theTIME*` settings that I gave and save them in the correct spot.

All I have is 'Host','Source Type','Index', and 'Advanced Options(Whitelist/blacklist)' - Nothing for reformatting the time that I can tell.

I'm adding a new source(file) - Which is letting me adjust the time format, it can't recognize my 'date' format as a time format it can use yet however.

It was due to me adding the folder the file was writing to, I've added the folder and I'm now trying to get it to recognize the time format.

There absolutely should be something that walks you through identifying the timestamp. I never use the GUI/wizard so I cannot be more specific.

But there is only 1 event per "Thing" every day, so it would be good to timestamp based on that first field, right? If so, tell Splunk to do that with TIME_FORMAT=%m/%d/%Y and TIME_PREFIX=^. Then all the stuff we have discussed will work.