Getting Data In

Parsing Time error while monitoring CSV file

ishaanshekhar
Communicator

Dear SPLUNK Community,

I need some help for parsing output time field correctly. I am monitoring the csv file on UF and reading it on Indexer.

Here's the sample how the file looks like:

DB_NAME,STATUS,DATE
DB_1,UP,2015-09-2109:19:03.450
DB_2,DOWN,2015-09-2109:19:04.830
...
...

Configuration Details:

  • On UF:
    inputs.conf:
    [monitor://.....<path of file>]
    disabled = 0
    sourcetype = health

    props.conf:

[health]
INDEXED_EXTRACTIONS = csv
HEADER_FIELD_LINE_NUMBER = 1
TIMESTAMP_FIELDS = DATE
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%d%H:%M:%S.%3N
TZ = UTC
SHOULD_LINEMERGE = false

-On Indexer:

 props.conf

[health]
TIME_FORMAT = %Y-%m-%d%H:%M:%S.%3N
TZ = UTC
SHOULD_LINEMERGE = false

Please Note: SPLUNK is still indexing the file, but looks like the timestamp it assigns is of current date, instead of the DATE column value.

Thanks in advance!
Ishaan

Tags (2)
0 Karma

ishaanshekhar
Communicator

My bad...!

I just noticed that the DATE field was not read by splunkd because I had one header extra in the header line, which literally pushed the DATE values mapped to a wrong column.

Changed that and it is working perfectly.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Copy the [health] stanza from your forwarder's props.conf file to your indexer and restart the indexer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...