This is probably really simple and I'm just not seeing it, but I'm having trouble pulling a timestamp from my data. Here is an example line of my data:
I'd like for the timestamp to be March 17th, 2014, at 18:26:50. I'm able to get the time, but not the date. This files is a .csv file with a header that in the same format of the data (i.e. "columnheader1","columnheader2"
This is my props.conf right now:
FIELDDELIMITER = ","
HEADERMODE = firstline
You are missing
: in the time_format
Update: it should have been %b rather than %B
Splunk is getting confused with the times which one actually it should take. So TIME_PREFIX needs to be unique