I'm in the middle of importing a CSV using the Splunk GUI and am attempting to extract, from two different fields titled Month and Year, the date in which the timestamp should correlate.
The first field is titled Month and contains the month of the input, and the second is titled Year and contains the Year of the input. Basically, I want to extract that information into the _time field automatically. Is this possible? An example would be "October" in the Month field and "2015" in the Year field. It doesn't seem to recognize that it should be extracting from both fields and combining the information. Thanks for the help!
Have you tried specifying Timestamp fields without quotes?
I wonder if "Timestamp format" and "Timestamp fields" are conflicting. Have you tried leaving the format field empty?
Tried unsuccessfully. I've tried a bunch of different variations and none seem to work
Any chance you can put your header line and a couple of lines of the CSV into a pastebin or gist?
Not sure If you've already got this working but the problem looks to be the comma in the TIME_FORMAT. Since you've told SPlunk the date stamp fields already you do not need to use a comma. So it should look like the following instead.
TIMESTAMP_FIELDS = Month, Year TIME_FORMAT = %B %Y
TIME_FORMAT = %B%n%Y, where %n is for whitespace.
Hope this helps.
Hi faramarz, did you get this working? What was the solution?
Got it working by just running a script to change the fields into a conglomerated field so it looked like "October 1 2015" etc. Don't think it's possible with only a month and year field.
Thanks for the update. I've tested my solution on 6.3 and it definitely works okay with month and years fields. But your method is just as good if you can adjust the input.