Unable to extract timestamp from CSV file

rajasha · ‎02-15-2021

I'm trying to extract timestamp exactly from the CSV for each event, but doesnt happen. It show only indexed time in the search head results. Anything I'm doing here wrong ?

Props.conf

[websense:cg:kv]
TIME_PREFIX ="(.*?1)","(.*?)"
TIME_FORMAT=[%d/%m/%y %H:%M:%S]
TRANSFORMS-eliminate_header = eliminate_header
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER = ,
TIMESTAMP_FIELDS = Date,Time
HEADER_FIELD_LINE_NUMBER = 1

Transforms.conf

Sample event:

"16/02/2021","07:19:41","Allowed","Collaboration - Office","None","##DEFAULT_Policy","abc@ff.com","eer-ltp-55dd8","live.com","None","None","pptsgs.officeapps.live.com:443/","None","None","34.98.220.117","United States","52.109.124.129","United States","10.212.168.62","None","None","None","None","None","Unknown","Unknown","594","17711","18305.0","Endpoint (Proxy Connect)","Static Classification","None","443","None","Connect"

manjunathmeti · ‎02-16-2021

hi @rajasha,
Drop TIME_PREFIX and TIME_FORMAT.

[websense:cg:kv]
TIMESTAMP_FIELDS = Date,Time
TRANSFORMS-eliminate_header = eliminate_header
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER = ,
HEADER_FIELD_LINE_NUMBER = 1

If this reply helps you, an upvote/like would be appreciated.

rajasha · ‎02-16-2021

Hi @manjunathmeti

I implemented the same in HF, but no luck. Still I'm seeing the same Indexed time stamp for all events and not the timestamp present in the csv file for each row. Please help.

Unable to extract timestamp from CSV file

CSV

index

indexer

props.conf

sourcetype

transforms.conf

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!