Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Props.conf: How to detect time and break events?

power12
Communicator
‎07-13-2022 07:48 AM

I have the following sample data in a csv file.I am trying to import it but its  unable to break the line and detect the timestamp.

Sample events

"Jun30.22.21.55, LVVL@abc.LOCAL, InOctets, 557766140, OutOctets, 3462815293, Total MB used, 502.572679125"

"Jun30.22.21.55, ALU@abc.LOCAL, InOctets, 4238119433, OutOctets, 3683403330, Total MB used, 990.190345375"

"Jun30.22.21.55, RXGH@abc.LOCAL, InOctets, 233853544, OutOctets, 485536206, Total MB used, 89.92371875"

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-13-2022 08:01 AM

Assuming your timestamp is the first field, try setting your TIME_FORMAT to %b%d.%y.%H.%M

Having said that, what do dates with single digit days look like e.g. Jul01.22 or Jul 1.22 or Jul1.22? 

0 Karma
Reply

power12
Communicator
‎07-13-2022 08:34 AM

Jun30.22.21.55  ....here Jun30th is the date with year as present and 22.21.55 is the time ...with single date it will be Jun01

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-13-2022 08:41 AM

%b%d.%H.%M.%S

0 Karma
Reply

power12
Communicator
‎07-13-2022 09:00 AM

I tried using %b%d.%H.%M.%S in TIME_FORMAT but it did not recognize the time.I am attaching the screenshot of how it looks when uploaded through UI.

 

[ csv ]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
KV_MODE=none
SHOULD_LINEMERGE=false
category=Structured
description=Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled=false
pulldown_type=true
TIME_FORMAT=%b%d.%H.%M.%S

 

power12_0-1657727853585.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-13-2022 09:12 AM

Try including TIME_PREFIX = ^

0 Karma
Reply

power12
Communicator
‎07-13-2022 09:44 AM

I tried that no luck

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...