Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure Splunk to parse a custom date timestamp in a column of a CSV file?

ebailey
Communicator
‎05-03-2016 08:31 AM

I have a CSV file I need Splunk to consume every day that has a date time stamp in a column. I cannot figure out how to get Splunk to read the date time stamp properly since its Month is in all caps.

01-JAN-09 07.21.53.656000 AM

Any idea how to get this to work correctly? I do not see any options that fit this use case.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2016 08:52 AM

What TIME_FORMAT strings have you tried? Have you tried "%d-%b-%y %H.%M.%S.%6N %p"?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gfuente
Motivator
‎05-03-2016 08:57 AM

The only issue I'm seeing, is that the sample it's too old. Using

MAX_DAYS_AGO=9999

Makes Splunk auto identify the date correctly. Anyway you could use this props

[  ]
CHARSET=UTF-8
MAX_DAYS_AGO=9999
SHOULD_LINEMERGE=true
disabled=false
TIME_FORMAT=%d-%b-%y %H.%M.%S.%6N
TIME_PREFIX=^

And, as a last option you could use SEDCMD to replace the uppercase months to lower case if finally is needed

With

SEDCMD-date = s/JAN/jan/g

For example

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-03-2016 08:55 AM

Following time format should would work for you.

| gentimes start=-1 | eval _time=strptime("01-FEB-09 07.21.53.656000 AM","%d-%b-%y %H.%M.%S.%N %p") | table _time | append [| gentimes start=-1 | eval _time=strptime("07-FEB-09 07.21.53.656000 AM","%d-%b-%y %H.%M.%S.%N %p") | table _time] | append [| gentimes start=-1 | eval _time=strptime("21-MAR-09 07.21.53.656000 AM","%d-%b-%y %H.%M.%S.%N %p") | table _time]

Also, since the years is more than 6 years ago, you would've to set MAX_DAYS_AGO in the sourcetype definition in props.conf to allow Splunk to parse this timestamp.

MAX_DAYS_AGO = <integer>
* Specifies the maximum number of days past, from the current date, that an extracted date
  can be valid.
* For example, if MAX_DAYS_AGO = 10, Splunk ignores dates that are older than 10 days ago.
* Defaults to 2000 (days), maximum 10951.
* IMPORTANT: If your data is older than 2000 days, increase this setting.
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2016 08:52 AM

What TIME_FORMAT strings have you tried? Have you tried "%d-%b-%y %H.%M.%S.%6N %p"?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ebailey
Communicator
‎05-03-2016 08:56 AM

I tried that with no luck - thanks

0 Karma
Reply
Solved! Jump to solution

ebailey
Communicator
‎05-03-2016 05:59 PM

This ended up being the solution combined with adding max_days_ago. Thanks!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-04-2016 07:07 AM

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
Top