Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure inputs.conf and props.conf to monitor multiple CSV files in a directory and recognize timestamp in 2nd column?

ryanng
New Member
‎10-02-2014 11:12 PM

Hey everyone,

I am trying to use Splunk to monitor and index multiple CSVs in a directory (e.g. log1.csv / log2.csv in c:\logs), and use the 2nd column of the CSVs as a timestamp. I have tried playing around with inputs.conf and props.conf but to no avail. Format of timestamp in 2nd column(DAY) of each CSV is %Y-%m-d%.

props.conf

[source::C:\\logs\\*]    
TIMESTAMP_FIELDS = DAY
TIME_FORMAT = %Y-%m-%d

inputs.conf

[monitor://c:\logs]    
disabled = false  
followTail = 0    
sourcetype = csv

can anyone advice me how should i go about getting splunk to parse the 2nd column of every csv as timestamp when indexing (the column headers are the same format/header)

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-04-2014 06:53 AM

Starting off - I wouldn't do the props.conf like that, use the sourcetype instead. Does your CSV have a header? Make sure you include a time as well.

[csv]
TIMESTAMP_FIELDS = DAY, TIME
TIME_FORMAT = %Y-%m-%d %H:%M:%S
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...