Getting Data In

TIME_FORMAT in props is not working

ankitarath2011
Path Finder

I have configured the TIME_FORMAT in props.conf as mentioned below.

[mySourceType]
INDEXED_EXTRACTIONS = csv
FIELD_DELIMITER = ,
SHOULD_LINEMERGE = false
HEADER_FIELD_LINE_NUMBER = 1
CHECK_FOR_HEADER = true
NO_BINARY_CHECK = true
disabled = false
initCrcLength = 2048
CHARSET = AUTO
KV_MODE = none
category = structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
pulldown_type = 1
SEDCMD-replacespace = s/ /_/g
TIMESTAMP_FIELDS = "TimeField"
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TZ = UTC

Monitoring CSV file in UF. This props is in indexer.

Example input data - 2019-08-13 07:15:00
2019-08-13 07:20:00

But after indexing _time is coming as 2019-08-13 07:00
2019-08-13 07:00

The Minute part is disappearing.

Please suggest some solution

Tags (2)
0 Karma
1 Solution

somesoni2
Revered Legend

Put this settings in UF.

View solution in original post

ankitarath2011
Path Finder

As per @somesoni2 suggestion, I put the props in UF and it is working fine now. Thanks.

0 Karma

dannyze
Explorer

for reference,  

 

I put the props in UF and it is working fine now. Thanks

 

 Does this mean the directory of $SPLUNK_HOME/SplunkUniversalForwarder/default 
or something else? 

 

0 Karma

somesoni2
Revered Legend

Put this settings in UF.

morethanyell
Builder

Try TIME_FORMAT = %F %X

0 Karma

wmyersas
Builder

What does your sample data look like? How many fields are in the CSV?

0 Karma

ankitarath2011
Path Finder

Sample data I had mentioned in the question (Example input data). There are around 50 fields

0 Karma

wmyersas
Builder

Can you give a whole row and the headers?

0 Karma

ankitarath2011
Path Finder

No, I can not do that. It's in secure environment

0 Karma

ankitarath2011
Path Finder

Hey I tried again, it's working now. Thanks a lot. But , as per the documentation, time_format and all config should be there in Indexer and not in UF

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...