Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Props.conf: How to detect time and break events?

power12
Path Finder
‎07-13-2022 07:48 AM

I have the following sample data in a csv file.I am trying to import it but its  unable to break the line and detect the timestamp.

Sample events

"Jun30.22.21.55, LVVL@abc.LOCAL, InOctets, 557766140, OutOctets, 3462815293, Total MB used, 502.572679125"

"Jun30.22.21.55, ALU@abc.LOCAL, InOctets, 4238119433, OutOctets, 3683403330, Total MB used, 990.190345375"

"Jun30.22.21.55, RXGH@abc.LOCAL, InOctets, 233853544, OutOctets, 485536206, Total MB used, 89.92371875"

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-13-2022 08:01 AM

Assuming your timestamp is the first field, try setting your TIME_FORMAT to %b%d.%y.%H.%M

Having said that, what do dates with single digit days look like e.g. Jul01.22 or Jul 1.22 or Jul1.22? 

0 Karma
Reply

power12
Path Finder
‎07-13-2022 08:34 AM

Jun30.22.21.55  ....here Jun30th is the date with year as present and 22.21.55 is the time ...with single date it will be Jun01

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-13-2022 08:41 AM

%b%d.%H.%M.%S

0 Karma
Reply

power12
Path Finder
‎07-13-2022 09:00 AM

I tried using %b%d.%H.%M.%S in TIME_FORMAT but it did not recognize the time.I am attaching the screenshot of how it looks when uploaded through UI.

 

[ csv ]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
KV_MODE=none
SHOULD_LINEMERGE=false
category=Structured
description=Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled=false
pulldown_type=true
TIME_FORMAT=%b%d.%H.%M.%S

 

power12_0-1657727853585.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-13-2022 09:12 AM

Try including TIME_PREFIX = ^

0 Karma
Reply

power12
Path Finder
‎07-13-2022 09:44 AM

I tried that no luck

0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...