Getting Data In

Parsing Time error while monitoring CSV file

ishaanshekhar
Communicator

Dear SPLUNK Community,

I need some help for parsing output time field correctly. I am monitoring the csv file on UF and reading it on Indexer.

Here's the sample how the file looks like:

DB_NAME,STATUS,DATE
DB_1,UP,2015-09-2109:19:03.450
DB_2,DOWN,2015-09-2109:19:04.830
...
...

Configuration Details:

  • On UF:
    inputs.conf:
    [monitor://.....<path of file>]
    disabled = 0
    sourcetype = health

    props.conf:

[health]
INDEXED_EXTRACTIONS = csv
HEADER_FIELD_LINE_NUMBER = 1
TIMESTAMP_FIELDS = DATE
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%d%H:%M:%S.%3N
TZ = UTC
SHOULD_LINEMERGE = false

-On Indexer:

 props.conf

[health]
TIME_FORMAT = %Y-%m-%d%H:%M:%S.%3N
TZ = UTC
SHOULD_LINEMERGE = false

Please Note: SPLUNK is still indexing the file, but looks like the timestamp it assigns is of current date, instead of the DATE column value.

Thanks in advance!
Ishaan

Tags (2)
0 Karma

ishaanshekhar
Communicator

My bad...!

I just noticed that the DATE field was not read by splunkd because I had one header extra in the header line, which literally pushed the DATE values mapped to a wrong column.

Changed that and it is working perfectly.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Copy the [health] stanza from your forwarder's props.conf file to your indexer and restart the indexer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...