Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help Getting CSV File in when time field is in Seconds Past Midnight

edgarrity
Path Finder
‎07-06-2022 04:41 PM

I need help with loading CSV files into Splunk with the event time recorded as seconds past midnight instead of HH:MM:SS time. Below is a sample of the data I need to load. How do I specify that the time column is the number of seconds past midnight when defining the Timestamp for the Source Type?

PickStartDate,BTVersion,TripNumber,Sequence,PassingTime,ArrivalTime,DepartureTime,FlagStop,ByPass,EarlyDeparture,event_line_number
2021-04-25,S1000216,1020,1,54900,54900.0,54900.0,0,0,,1
2021-04-25,S1000216,1020,2,54955,,,0,0,,2
2021-04-25,S1000216,1020,3,54999,,,0,0,,3

Labels (1)
Labels
Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎07-06-2022 10:53 PM

Yep, INGEST_EVAL is the way to go.

Firstly parse out the day as usual so you'll get the beginning of the day in the _time field. Then parse out an indexed field containing number of seconds. Then add this number to your _time. And finally, if not needed for anything else, unset the extracted field (otherwise it will get indexed).

View solution in original post

Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎07-06-2022 10:36 PM

@edgarrity - INGEST_EVAL would be one of the options I guess.

(you may have to combine multiple INGEST_EVAL and in combination with normal TRANSFORMS with REGEX to achieve the extraction and generate the right timestamp as you need.)

 

I hope this helps!!!

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎07-06-2022 10:53 PM

Yep, INGEST_EVAL is the way to go.

Firstly parse out the day as usual so you'll get the beginning of the day in the _time field. Then parse out an indexed field containing number of seconds. Then add this number to your _time. And finally, if not needed for anything else, unset the extracted field (otherwise it will get indexed).

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...