- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- TIME_FORMAT in props is not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have configured the TIME_FORMAT in props.conf as mentioned below.
[mySourceType]
INDEXED_EXTRACTIONS = csv
FIELD_DELIMITER = ,
SHOULD_LINEMERGE = false
HEADER_FIELD_LINE_NUMBER = 1
CHECK_FOR_HEADER = true
NO_BINARY_CHECK = true
disabled = false
initCrcLength = 2048
CHARSET = AUTO
KV_MODE = none
category = structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
pulldown_type = 1
SEDCMD-replacespace = s/ /_/g
TIMESTAMP_FIELDS = "TimeField"
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TZ = UTC
Monitoring CSV file in UF. This props is in indexer.
Example input data - 2019-08-13 07:15:00
2019-08-13 07:20:00
But after indexing _time is coming as 2019-08-13 07:00
2019-08-13 07:00
The Minute part is disappearing.
Please suggest some solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As per @somesoni2 suggestion, I put the props in UF and it is working fine now. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for reference,
I put the props in UF and it is working fine now. Thanks
Does this mean the directory of $SPLUNK_HOME/SplunkUniversalForwarder/default
or something else?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Put this settings in UF.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try TIME_FORMAT = %F %X
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What does your sample data look like? How many fields are in the CSV?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sample data I had mentioned in the question (Example input data). There are around 50 fields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you give a whole row and the headers?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, I can not do that. It's in secure environment
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey I tried again, it's working now. Thanks a lot. But , as per the documentation, time_format and all config should be there in Indexer and not in UF
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
