Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Incorrect timestamp when ingesting csv data

jg91
Path Finder
‎10-18-2024 12:14 AM

Hi,

I’m trying to ingest CSV data (without a timestamp) using a Universal Forwarder (UF) running in a fresh container.

When I attempt to ingest the data, I encounter the following warning in the _internal index, and the data ends up being ingested with a timestamp from 2021. This container has not previously ingested any data, so I’m unsure why it defaults to this date.

10-18-2024 03:42:00.942 +0000 WARN  DateParserVerbose [1571 structuredparsing] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Wed Jan 13 21:06:54 2021). Context: source=/var/data/sample.csv|host=splunk-uf|csv|6215

 

Can someone explain why this date is being applied, and how I can prevent this issue?

 

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-18-2024 12:19 AM

Hi @jg91 ,

if your csv doesn't contain any timestamp, Splunk can assign the timestamp of the index time or the timestamp from the previous event.

probably it's assigned the second one.

I hint to specify in props.conf that the timestamp is the current time:

DATETIME_CONFIG = CURRENT

as described at https://docs.splunk.com/Documentation/Splunk/9.3.1/Admin/Propsconf#Timestamp_extraction_configuratio...

Ciao.

Giuseppe

0 Karma
Reply

jg91
Path Finder
‎10-18-2024 12:48 AM

Thank you, but my question is why it defaults to a timestamp from 2021, especially since this is a freshly created container/pod with no prior data ingested. Why is it using that specific date?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-18-2024 01:34 PM

Hard to say without knowing your exact data and config. But Splunk does tend to try to guess  the time format sometimes and it's usually not the best idea to let it. So if you don't have timestamps in your data it's best to explicitly configure your sourcetype so that Splunk doesn't guess but blindly assumes it's the current timestamp (as @gcusello already showed)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-18-2024 12:56 AM

Hi @jg91 ,

I don't know your data, maybe there's some numeric field that can be interpretated as a timestamp, or there's a previous event of 2021, I don't know.

But using the above configuration you should solve.

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...