Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Problems with CSV timestamps

kooixiuhong
New Member
‎07-03-2018 01:06 AM

Hi, I have some csv files on my Splunk index. The files are named with a date like xxxxx20180703.csv . In the csv files there is a field with a time in 12:30:45 PM format. The timestamp is able to pickup the date and time. However I have an issues where on some of the files(not all) it detects 11pm properly but then it treats 12 AM as the next day and any time after that will be labeled as the next day as well.

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎07-03-2018 09:36 AM

You could use a custom datetime.xml file and reference it from your props.conf file. Below is an example I used where I had a similar issue. The data I was working with had a time in the data, but the date was in the file name. My filenames looked something like the following:

filename2018_07_03.txt

I just copied and pasted an existing definition that was similar and tweaked it in. You need to change the name, the extract as well if the order is different, and the regex to extract the values.

<define name="_masheddate3" extract="year, month, day">
    <text><![CDATA[source::.*?/sampledata/\w+(\d{4})_(\d{2})_(\d{2})\.txt]]></text>
</define>
0 Karma
Reply

kooixiuhong
New Member
‎07-03-2018 07:33 PM

Splunk have no problem reading the date and time. My problem is that for one file, Splunk reads 11pm and treats any events pass midnight as the next day and not the same day. It only mysteriously happens for one csv file and the rest are read perfectly.

0 Karma
Reply

niketn
Legend
‎07-03-2018 06:48 AM

Would the following help?
https://answers.splunk.com/answers/557841/how-to-extract-date-from-filename-and-add-it-with.html

Have you defined TIME_FORMAT as per your time field in the csv file field?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-03-2018 06:02 AM

It would be helpful to see some sample events.
What are the props.conf settings for that sourcetype?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kooixiuhong
New Member
‎07-03-2018 07:31 PM

I've used the csv sourcetype. It is able to correctly read the date and time for most of the files. It is just the first file I am having issue with for some reason.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2018 05:33 AM

What is different about the first file?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...