Solved: Re: Time stamp field using transforms.conf

rsathish47 · ‎10-07-2016

HI All,

Am have CSV which is semicolon as delimiter and am using Props and transpose to extract the fields. But am assigning fields name in the transpose and am not able to set _time field . Please let me know how to do that.

Props.conf

[Jbossorder]
REPORT-formation = split_header
BREAK_ONLY_BEFORE = SO;

transforms.conf
[split_header]
DELIMS = ;
FIELDS =H1,H2,H3,H4,datetime

Thanks
Sathish Rangan

rsathish47 · ‎10-07-2016

I fixed it using props.conf

[Jbossorder]
FIELD_DELIMITER =;
TIME_FORMAT = %Y%m%dT%H%M%S%z
TIMESTAMP_FIELDS = datetime
FIELD_NAMES = H1,H2,H3,H4,datetime

View solution in original post

rsathish47 · ‎10-07-2016

I fixed it using props.conf

[Jbossorder]
FIELD_DELIMITER =;
TIME_FORMAT = %Y%m%dT%H%M%S%z
TIMESTAMP_FIELDS = datetime
FIELD_NAMES = H1,H2,H3,H4,datetime

Time stamp field using transforms.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation