Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Importing data from a CSV file, how do I edit props.conf to assign a specific column to be parsed as _time?

nikkkc
Path Finder
‎07-27-2016 06:34 AM

Hi Guys,

I do data import from a CSV and I would like set the eventtime ( _time) to a specific column because the automatic timestamp assignment did not work for me.

Is my config possible? What is wrong? ActualStartTime is a Column in the header of the CSVFile.

props.conf:

[source::D:\Data\*.csv]
TIME_PREFIX = ActualStartTime
TIME_FORMAT=%y/%m/%d-%H:%M:%S.%3N

thanks I am 404

Reply
1 Solution
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎07-27-2016 06:49 AM

You can use INDEXED_EXTRACTIONS and the TIMESTAMP_FIELDS option to do this. You'll need to put these settings in the props.conf on your universal forwarder. There is a default csv sourcetype you can use to do this, or you can create your own sourcetype.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Extractfieldsfromfileswithstructureddata

[my_csv]
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = csv
KV_MODE = none
TIMESTAMP_FIELDS = ActualStartTime
TIME_FORMAT=%y/%m/%d-%H:%M:%S.%3N

View solution in original post

Reply
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎07-27-2016 06:49 AM

You can use INDEXED_EXTRACTIONS and the TIMESTAMP_FIELDS option to do this. You'll need to put these settings in the props.conf on your universal forwarder. There is a default csv sourcetype you can use to do this, or you can create your own sourcetype.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Extractfieldsfromfileswithstructureddata

[my_csv]
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = csv
KV_MODE = none
TIMESTAMP_FIELDS = ActualStartTime
TIME_FORMAT=%y/%m/%d-%H:%M:%S.%3N
Reply
Solved! Jump to solution

nikkkc
Path Finder
‎07-27-2016 11:51 PM

it works, thanks a lot!!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...