Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Importing data from a CSV file, how do I edit props.conf to assign a specific column to be parsed as _time?

nikkkc
Path Finder
‎07-27-2016 06:34 AM

Hi Guys,

I do data import from a CSV and I would like set the eventtime ( _time) to a specific column because the automatic timestamp assignment did not work for me.

Is my config possible? What is wrong? ActualStartTime is a Column in the header of the CSVFile.

props.conf:

[source::D:\Data\*.csv]
TIME_PREFIX = ActualStartTime
TIME_FORMAT=%y/%m/%d-%H:%M:%S.%3N

thanks I am 404

Reply
1 Solution
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎07-27-2016 06:49 AM

You can use INDEXED_EXTRACTIONS and the TIMESTAMP_FIELDS option to do this. You'll need to put these settings in the props.conf on your universal forwarder. There is a default csv sourcetype you can use to do this, or you can create your own sourcetype.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Extractfieldsfromfileswithstructureddata

[my_csv]
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = csv
KV_MODE = none
TIMESTAMP_FIELDS = ActualStartTime
TIME_FORMAT=%y/%m/%d-%H:%M:%S.%3N

View solution in original post

Reply
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎07-27-2016 06:49 AM

You can use INDEXED_EXTRACTIONS and the TIMESTAMP_FIELDS option to do this. You'll need to put these settings in the props.conf on your universal forwarder. There is a default csv sourcetype you can use to do this, or you can create your own sourcetype.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Extractfieldsfromfileswithstructureddata

[my_csv]
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = csv
KV_MODE = none
TIMESTAMP_FIELDS = ActualStartTime
TIME_FORMAT=%y/%m/%d-%H:%M:%S.%3N
Reply
Solved! Jump to solution

nikkkc
Path Finder
‎07-27-2016 11:51 PM

it works, thanks a lot!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...