Getting Data In
Highlighted

If I have a custom sourcetype with fields delimited by commas, how do I extract the first field as the event timestamp?

Path Finder

If I have a custom sourcetype with fields delimited by ,, the first field in the data is what I want to extract as the event time. What should be in the transforms.conf file for the FIELDS = ?

The data looks like: 05-Oct-2016 12:45:17, Jon, Sally, Sue,
How should I configure transforms.conf? FIELDS = ????, Name1, Name2, Name3

0 Karma
Highlighted

Re: If I have a custom sourcetype with fields delimited by commas, how do I extract the first field as the event timestamp?

Legend

Splunk should automatically recognize the time format. You can name the field Time since Splunk would have extracted the _time field

0 Karma
Highlighted

Re: If I have a custom sourcetype with fields delimited by commas, how do I extract the first field as the event timestamp?

SplunkTrust
SplunkTrust

The timestamp recognition is configured in the props.conf and not the transforms.conf (all transforms.conf settings are executed after Timestamp recognition). This this link for details on what all attributes that you need to setup for timestamp recognition. It's recommended that you explicitly specify these attributes for better indexing performance as automatic recognition can cause extra processing.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Configuretimestamprecognition

I generally configure these 3 attributes at the least. Here is what you can use for your situation
props.conf (on indexer/heavy forwarder)

[yoursourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %d-%b-%Y %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20
..other settings..
0 Karma
Highlighted

Re: If I have a custom sourcetype with fields delimited by commas, how do I extract the first field as the event timestamp?

Path Finder

Yes, I tried that but nothing gets indexed at all. Can this be done from a Universal forwarder?

0 Karma
Highlighted

Re: If I have a custom sourcetype with fields delimited by commas, how do I extract the first field as the event timestamp?

SplunkTrust
SplunkTrust

So, when you say noting gets indexed at all, do you mean you've an input.conf on your forwarder which is monitoring this CSV file and sending to Indexer but Indexer is dropping all events? (That doesn't seem right)

0 Karma
Highlighted

Re: If I have a custom sourcetype with fields delimited by commas, how do I extract the first field as the event timestamp?

Legend

The easiest way is to take an example in a file and follow the guided ingestion, in this way you can be sure to take correct timestamp and fields.
After you can use this sourcetype for your usual ingestion.
Bye.
Giuseppe

0 Karma
Highlighted

Re: If I have a custom sourcetype with fields delimited by commas, how do I extract the first field as the event timestamp?

Legend

TimeStamp is assigned to an event by the Indexer in the Index phase not in the input phase
Bye.
Giuseppe

0 Karma
Highlighted

Re: If I have a custom sourcetype with fields delimited by commas, how do I extract the first field as the event timestamp?

Path Finder

What does that mean exactly? and is the timestamp the _time ?

0 Karma
Highlighted

Re: If I have a custom sourcetype with fields delimited by commas, how do I extract the first field as the event timestamp?

Legend

yes, but timestamp (_time) is assigned to an event by the indexer not by the forwarder.
Bye.
Giuseppe

0 Karma
Highlighted

Re: If I have a custom sourcetype with fields delimited by commas, how do I extract the first field as the event timestamp?

Path Finder

I have configured on my indexer in the
props.conf

[testmeout2]
TIMEPREFIX = ^
SHOULD
LINEMERGE = False
pulldown_type = 1
REPORT-names

transforms.conf
[names]
DELIMS = ","
FIELDS = Name1,Name2,Name3

ex. data
25-SEP-2016 21:16:17,John,Sally,Joe

0 Karma