Getting Data In

How can I specify TIMESTAMP_FIELDS in props.conf for a CSV file without HEADERS?

asaste
Path Finder

I am loading CSV file without HEADERS in Splunk. File is getting correctly loaded in Splunk. For column names I have defined ‘FIELD_NAMES’ property in props.conf.

I have set one of the fields from ‘FIELD_NAMES’ as TIMESTAMP_FIELDS, but it is not taking it as _time
My Question is: How can I specify TIMESTAMP_FIELDS in this props.conf for CSV file without HEADERS ?

E.g
Some data in a student file

AAA,1001,98, 15:10:05.962 EST Wed Feb 4 2015
BBB,1002,87, 15:10:05.962 EST Wed Feb 4 2015
CCC,1003,90, 15:10:05.962 EST Wed Feb 4 2015

inputs.conf

[monitor:///daya01/student]
sourcetype=stu

props.conf

[stu]
SHOULD_LINEMERGE = false
FIELD_NAMES = name,id,marks, joining-time
TIMESTAMP_FIELDS = joining-time

What value should i set to TIMESTAMP_FIELDS ?

0 Karma
1 Solution

asaste
Path Finder

Hi ,
Sorry for updating late.

It was not the header issue, it was - (Hyphen) issue. Splunk convert Hyphen(-) with underscore(_) in field names. Splunk recommend to use underscore in field names instead of hyphen as hyphen is use as an arithmetic operator.

Now we have changed field name from joining-time to joining_time, so issue is resolved now.

Thanks,
ABhi

View solution in original post

asaste
Path Finder

Hi ,
Sorry for updating late.

It was not the header issue, it was - (Hyphen) issue. Splunk convert Hyphen(-) with underscore(_) in field names. Splunk recommend to use underscore in field names instead of hyphen as hyphen is use as an arithmetic operator.

Now we have changed field name from joining-time to joining_time, so issue is resolved now.

Thanks,
ABhi

richgalloway
SplunkTrust
SplunkTrust

Try specifying TIME_FORMAT in your props.conf.

TIME_FORMAT = %H:%M:%S.%3N %Z %a %b %d %Y
---
If this reply helps you, Karma would be appreciated.
0 Karma

asaste
Path Finder

Thanks for Reply,I used solution you provided, but no luck :-(. Still not able to get 'joining_time' in _time.

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...