Parsing Time error while monitoring CSV file

ishaanshekhar · ‎09-21-2015

Dear SPLUNK Community,

I need some help for parsing output time field correctly. I am monitoring the csv file on UF and reading it on Indexer.

Here's the sample how the file looks like:

DB_NAME,STATUS,DATE
DB_1,UP,2015-09-2109:19:03.450
DB_2,DOWN,2015-09-2109:19:04.830
...
...

Configuration Details:

On UF:
inputs.conf:
[monitor://.....<path of file>]
disabled = 0
sourcetype = health

props.conf:

[health]
INDEXED_EXTRACTIONS = csv
HEADER_FIELD_LINE_NUMBER = 1
TIMESTAMP_FIELDS = DATE
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%d%H:%M:%S.%3N
TZ = UTC
SHOULD_LINEMERGE = false

-On Indexer:

 props.conf

[health]
TIME_FORMAT = %Y-%m-%d%H:%M:%S.%3N
TZ = UTC
SHOULD_LINEMERGE = false

Please Note: SPLUNK is still indexing the file, but looks like the timestamp it assigns is of current date, instead of the DATE column value.

Thanks in advance!
Ishaan

ishaanshekhar · ‎09-21-2015

My bad...!

I just noticed that the DATE field was not read by splunkd because I had one header extra in the header line, which literally pushed the DATE values mapped to a wrong column.

Changed that and it is working perfectly.

richgalloway · ‎09-21-2015

Copy the [health] stanza from your forwarder's props.conf file to your indexer and restart the indexer.

---
If this reply helps you, Karma would be appreciated.

Parsing Time error while monitoring CSV file

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!