Solved: Getting time stamps correctly.

Lucas_K · ‎04-30-2012

I'm trying to get a csv file correctly indexed. I can't however seem to get the timestamp props.conf to work correctly.

This is a line of sample data.

A5,2012:04:30:03:48:24,AAAA,1,1,10000,0000,2012:04:30:03:48:24,0711111111,249,1800111111,07111110,,AAAA,0

This is the resulting time stamp.

Incorrect format : 11/12/2010 04:30:03.400
Correct format : 30/04/2012 03:48:24

And these are my config's.

Inputs.conf
[monitor://C:\sampledata.20120430035907.Z]
disabled = false
followTail = 0
host = LOG_HOST
index = MY_LOG
sourcetype = LOG

props.conf
[LOG]
BREAK_ONLY_BEFORE = ^A5,*
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_FORMAT = %Y:%m:%d:%H:%M:%S
TIME_PREFIX = A5,
pulldown_type = 1
TRANSFORMS-log = log_extractions

[log-extractions]
DELIMS = ","
FIELDS = "field1","field2" etc etc etc

I used the timeprefix to try and get it to detect the first time entry.

The field extraction works fine just not the initial time stamp detection.

Lucas_K · ‎05-02-2012

solved it myself.

Incorrect.
TIME_FORMAT = %Y:%m:%d:%H:%M:%S

Correct.
TIME_FORMAT=%Y:%m:%d:%H:%M:%S

It was literally looking for the white space in each of that statement.

View solution in original post

Lucas_K · ‎05-02-2012

solved it myself.

Incorrect.
TIME_FORMAT = %Y:%m:%d:%H:%M:%S

Correct.
TIME_FORMAT=%Y:%m:%d:%H:%M:%S

It was literally looking for the white space in each of that statement.

Getting time stamps correctly.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation