Solved: Re: Time stamp field using transforms.conf

rsathish47 · ‎10-07-2016

HI All,

Am have CSV which is semicolon as delimiter and am using Props and transpose to extract the fields. But am assigning fields name in the transpose and am not able to set _time field . Please let me know how to do that.

Props.conf

[Jbossorder]
REPORT-formation = split_header
BREAK_ONLY_BEFORE = SO;

transforms.conf
[split_header]
DELIMS = ;
FIELDS =H1,H2,H3,H4,datetime

Thanks
Sathish Rangan

rsathish47 · ‎10-07-2016

I fixed it using props.conf

[Jbossorder]
FIELD_DELIMITER =;
TIME_FORMAT = %Y%m%dT%H%M%S%z
TIMESTAMP_FIELDS = datetime
FIELD_NAMES = H1,H2,H3,H4,datetime

View solution in original post

rsathish47 · ‎10-07-2016

I fixed it using props.conf

[Jbossorder]
FIELD_DELIMITER =;
TIME_FORMAT = %Y%m%dT%H%M%S%z
TIMESTAMP_FIELDS = datetime
FIELD_NAMES = H1,H2,H3,H4,datetime

Time stamp field using transforms.conf

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Time stamp field using transforms.conf

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey