Dear SPLUNK Community,
I need some help for parsing output time field correctly. I am monitoring the csv file on UF and reading it on Indexer.
Here's the sample how the file looks like:
DB_NAME,STATUS,DATE
DB_1,UP,2015-09-2109:19:03.450
DB_2,DOWN,2015-09-2109:19:04.830
...
...
Configuration Details:
On UF:
inputs.conf:
[monitor://.....<path of file>]
disabled = 0
sourcetype = health
props.conf:
[health]
INDEXED_EXTRACTIONS = csv
HEADER_FIELD_LINE_NUMBER = 1
TIMESTAMP_FIELDS = DATE
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%d%H:%M:%S.%3N
TZ = UTC
SHOULD_LINEMERGE = false
-On Indexer:
props.conf
[health]
TIME_FORMAT = %Y-%m-%d%H:%M:%S.%3N
TZ = UTC
SHOULD_LINEMERGE = false
Please Note: SPLUNK is still indexing the file, but looks like the timestamp it assigns is of current date, instead of the DATE column value.
Thanks in advance!
Ishaan
My bad...!
I just noticed that the DATE field was not read by splunkd because I had one header extra in the header line, which literally pushed the DATE values mapped to a wrong column.
Changed that and it is working perfectly.
Copy the [health] stanza from your forwarder's props.conf file to your indexer and restart the indexer.