Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I specify TIMESTAMP_FIELDS in props.conf for a CSV file without HEADERS?

asaste
Path Finder
‎04-26-2016 01:30 AM

I am loading CSV file without HEADERS in Splunk. File is getting correctly loaded in Splunk. For column names I have defined ‘FIELD_NAMES’ property in props.conf.

I have set one of the fields from ‘FIELD_NAMES’ as TIMESTAMP_FIELDS, but it is not taking it as _time
My Question is: How can I specify TIMESTAMP_FIELDS in this props.conf for CSV file without HEADERS ?

E.g
Some data in a student file

AAA,1001,98, 15:10:05.962 EST Wed Feb 4 2015
BBB,1002,87, 15:10:05.962 EST Wed Feb 4 2015
CCC,1003,90, 15:10:05.962 EST Wed Feb 4 2015

inputs.conf

[monitor:///daya01/student]
sourcetype=stu

props.conf

[stu]
SHOULD_LINEMERGE = false
FIELD_NAMES = name,id,marks, joining-time
TIMESTAMP_FIELDS = joining-time

What value should i set to TIMESTAMP_FIELDS ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

asaste
Path Finder
‎06-02-2016 03:29 AM

Hi ,
Sorry for updating late.

It was not the header issue, it was - (Hyphen) issue. Splunk convert Hyphen(-) with underscore(_) in field names. Splunk recommend to use underscore in field names instead of hyphen as hyphen is use as an arithmetic operator.

Now we have changed field name from joining-time to joining_time, so issue is resolved now.

Thanks,
ABhi

View solution in original post

Reply
Solved! Jump to solution
Solution

asaste
Path Finder
‎06-02-2016 03:29 AM

Hi ,
Sorry for updating late.

It was not the header issue, it was - (Hyphen) issue. Splunk convert Hyphen(-) with underscore(_) in field names. Splunk recommend to use underscore in field names instead of hyphen as hyphen is use as an arithmetic operator.

Now we have changed field name from joining-time to joining_time, so issue is resolved now.

Thanks,
ABhi

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-26-2016 06:05 AM

Try specifying TIME_FORMAT in your props.conf.

TIME_FORMAT = %H:%M:%S.%3N %Z %a %b %d %Y
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

asaste
Path Finder
‎04-27-2016 06:37 AM

Thanks for Reply,I used solution you provided, but no luck :-(. Still not able to get 'joining_time' in _time.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...