Getting Data In

Importing data from a CSV file, how do I edit props.conf to assign a specific column to be parsed as _time?

nikkkc
Path Finder

Hi Guys,

I do data import from a CSV and I would like set the eventtime ( _time) to a specific column because the automatic timestamp assignment did not work for me.

Is my config possible? What is wrong? ActualStartTime is a Column in the header of the CSVFile.

props.conf:

[source::D:\Data\*.csv]
TIME_PREFIX = ActualStartTime
TIME_FORMAT=%y/%m/%d-%H:%M:%S.%3N

thanks I am 404

1 Solution

Jeremiah
Motivator

You can use INDEXED_EXTRACTIONS and the TIMESTAMP_FIELDS option to do this. You'll need to put these settings in the props.conf on your universal forwarder. There is a default csv sourcetype you can use to do this, or you can create your own sourcetype.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Extractfieldsfromfileswithstructureddata

[my_csv]
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = csv
KV_MODE = none
TIMESTAMP_FIELDS = ActualStartTime
TIME_FORMAT=%y/%m/%d-%H:%M:%S.%3N

View solution in original post

Jeremiah
Motivator

You can use INDEXED_EXTRACTIONS and the TIMESTAMP_FIELDS option to do this. You'll need to put these settings in the props.conf on your universal forwarder. There is a default csv sourcetype you can use to do this, or you can create your own sourcetype.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Extractfieldsfromfileswithstructureddata

[my_csv]
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = csv
KV_MODE = none
TIMESTAMP_FIELDS = ActualStartTime
TIME_FORMAT=%y/%m/%d-%H:%M:%S.%3N

nikkkc
Path Finder

it works, thanks a lot!!!

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...