Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Unable to extract timestamp from a CSV file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unable to extract timestamp from a CSV file
Hi All,
I'm trying to extract some reports form a sample csv file. the first two lines are:
BOT_ID,TECHNOLOGY,TEST_CASE_ID,TEST_CASE_NAME,TEST_PARAM_NAME,TEST_PARAM_VALUE,TEST_PARAM_UNIT,TEST_CASE_RESULT_ID,TEST_SUITE_RESULT_ID,TIMESTAMP
DD-99-AA-55-11-11,LTE,14,NA,LAC,ffff,NA,12e285e0-7a38-416e-b077-88aca4add7c8,fedec8a8-a156-4fc9-a63a-049523f2972e,11-01-2013 12:13:16
it fails with an error "could not use strptime to parse timestamp (null).
Tried adding TIME_FORMAT=%d-%m-%y %H:%M:%S but this does not work either.
What an I missing?
My prop file looks like this:
-#your settings
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
TIME_FORMAT=%d-%m-%y %H:%M:%S
TIME_PREFIX=^([^,]*,){14}
-#set by detected source type
CHECK_FOR_HEADER=true
KV_MODE=none
pulldown_type=true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your settings
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
TIME_FORMAT=%d-%m-%Y %H:%M:%S
TIME_PREFIX=(^.+,)
set by detected source type
CHECK_FOR_HEADER=true
KV_MODE=none
pulldown_type=true
please try the above settings.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming your sample event is accurate, I think you have an error with: TIME_PREFIX=^([^,]*,){14} shouldn't it be {9} not {14}? Just tested with http://gskinner.com/RegExr/ which I find is a useful test tool for regex issues and changing it to {9} picks up everything before the timestamp.
Another thing to bear in mind is that the default lookahead is 150 characters, which shouldn't affect your sample line but might want to keep that in mind if you have longer lines.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you indexing the files? You dont have to use any settings as splunk has inbuild capability to see the csv files. I would want you to check with UI data file addition. See how its being read and apply TIMEFORMAT there. By the way, if it doesn't read also you can also convert the timestamp with strptime function.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Linu, but this does not work 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try with TIME_FORMAT=%d-%m-%Y %H:%M:%S
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
