Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When importing a CSV in Splunk Web, how do I automatically extract values from "Month" and "Year" fields into the _time field?

faramarz
Path Finder
‎10-29-2015 07:16 AM

Hi!

I'm in the middle of importing a CSV using the Splunk GUI and am attempting to extract, from two different fields titled Month and Year, the date in which the timestamp should correlate.

The first field is titled Month and contains the month of the input, and the second is titled Year and contains the Year of the input. Basically, I want to extract that information into the _time field automatically. Is this possible? An example would be "October" in the Month field and "2015" in the Year field. It doesn't seem to recognize that it should be extracting from both fields and combining the information. Thanks for the help! alt text

Preview file
71 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

faramarz
Path Finder
‎11-05-2015 08:16 AM

Got it working by just running a script to change the fields into a conglomerated field so it looked like "October 1 2015" etc. Don't think it's possible with only a month and year field.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

faramarz
Path Finder
‎11-05-2015 08:16 AM

Got it working by just running a script to change the fields into a conglomerated field so it looked like "October 1 2015" etc. Don't think it's possible with only a month and year field.

0 Karma
Reply
Solved! Jump to solution

gcato
Contributor
‎11-05-2015 12:08 PM

Thanks for the update. I've tested my solution on 6.3 and it definitely works okay with month and years fields. But your method is just as good if you can adjust the input.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-29-2015 08:04 AM

Have you tried specifying Timestamp fields without quotes?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

faramarz
Path Finder
‎10-29-2015 12:17 PM

Yes, doesn't work

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-29-2015 12:39 PM

I wonder if "Timestamp format" and "Timestamp fields" are conflicting. Have you tried leaving the format field empty?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

faramarz
Path Finder
‎10-29-2015 12:41 PM

Tried unsuccessfully. I've tried a bunch of different variations and none seem to work

0 Karma
Reply
Solved! Jump to solution

nnmiller
Contributor
‎10-29-2015 01:05 PM

Any chance you can put your header line and a couple of lines of the CSV into a pastebin or gist?

0 Karma
Reply
Solved! Jump to solution

gcato
Contributor
‎11-02-2015 02:10 PM

Not sure If you've already got this working but the problem looks to be the comma in the TIME_FORMAT. Since you've told SPlunk the date stamp fields already you do not need to use a comma. So it should look like the following instead.

TIMESTAMP_FIELDS = Month, Year
TIME_FORMAT = %B %Y

or, even TIME_FORMAT = %B%n%Y, where %n is for whitespace.

Hope this helps.

0 Karma
Reply
Solved! Jump to solution

gcato
Contributor
‎11-04-2015 07:14 PM

Hi faramarz, did you get this working? What was the solution?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...