- Community
- :
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: TIME_FORMAT in props is not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have configured the TIME_FORMAT in props.conf as mentioned below.
[mySourceType]
INDEXED_EXTRACTIONS = csv
FIELD_DELIMITER = ,
SHOULD_LINEMERGE = false
HEADER_FIELD_LINE_NUMBER = 1
CHECK_FOR_HEADER = true
NO_BINARY_CHECK = true
disabled = false
initCrcLength = 2048
CHARSET = AUTO
KV_MODE = none
category = structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
pulldown_type = 1
SEDCMD-replacespace = s/ /_/g
TIMESTAMP_FIELDS = "TimeField"
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TZ = UTC
Monitoring CSV file in UF. This props is in indexer.
Example input data - 2019-08-13 07:15:00
2019-08-13 07:20:00
But after indexing _time is coming as 2019-08-13 07:00
2019-08-13 07:00
The Minute part is disappearing.
Please suggest some solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Put this settings in UF.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As per @somesoni2 suggestion, I put the props in UF and it is working fine now. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for reference,
I put the props in UF and it is working fine now. Thanks
Does this mean the directory of $SPLUNK_HOME/SplunkUniversalForwarder/default
or something else?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Put this settings in UF.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try TIME_FORMAT = %F %X
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What does your sample data look like? How many fields are in the CSV?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sample data I had mentioned in the question (Example input data). There are around 50 fields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you give a whole row and the headers?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, I can not do that. It's in secure environment
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey I tried again, it's working now. Thanks a lot. But , as per the documentation, time_format and all config should be there in Indexer and not in UF
Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More
Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)
Tech Talk | One Log to Rule Them All
