How to configure inputs.conf and props.conf to mon...

ryanng · ‎10-02-2014

Hey everyone,

I am trying to use Splunk to monitor and index multiple CSVs in a directory (e.g. log1.csv / log2.csv in c:\logs), and use the 2nd column of the CSVs as a timestamp. I have tried playing around with inputs.conf and props.conf but to no avail. Format of timestamp in 2nd column(DAY) of each CSV is %Y-%m-d%.

props.conf

[source::C:\\logs\\*]    
TIMESTAMP_FIELDS = DAY
TIME_FORMAT = %Y-%m-%d

inputs.conf

[monitor://c:\logs]    
disabled = false  
followTail = 0    
sourcetype = csv

can anyone advice me how should i go about getting splunk to parse the 2nd column of every csv as timestamp when indexing (the column headers are the same format/header)

alacercogitatus · ‎10-04-2014

Starting off - I wouldn't do the props.conf like that, use the sourcetype instead. Does your CSV have a header? Make sure you include a time as well.

[csv]
TIMESTAMP_FIELDS = DAY, TIME
TIME_FORMAT = %Y-%m-%d %H:%M:%S

How to configure inputs.conf and props.conf to monitor multiple CSV files in a directory and recognize timestamp in 2nd column?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

How to configure inputs.conf and props.conf to monitor multiple CSV files in a directory and recognize timestamp in 2nd column?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?