Getting Data In

When importing a CSV in Splunk Web, how do I automatically extract values from "Month" and "Year" fields into the _time field?

faramarz
Path Finder

Hi!

I'm in the middle of importing a CSV using the Splunk GUI and am attempting to extract, from two different fields titled Month and Year, the date in which the timestamp should correlate.

The first field is titled Month and contains the month of the input, and the second is titled Year and contains the Year of the input. Basically, I want to extract that information into the _time field automatically. Is this possible? An example would be "October" in the Month field and "2015" in the Year field. It doesn't seem to recognize that it should be extracting from both fields and combining the information. Thanks for the help! alt text

0 Karma
1 Solution

faramarz
Path Finder

Got it working by just running a script to change the fields into a conglomerated field so it looked like "October 1 2015" etc. Don't think it's possible with only a month and year field.

View solution in original post

0 Karma

faramarz
Path Finder

Got it working by just running a script to change the fields into a conglomerated field so it looked like "October 1 2015" etc. Don't think it's possible with only a month and year field.

0 Karma

gcato
Contributor

Thanks for the update. I've tested my solution on 6.3 and it definitely works okay with month and years fields. But your method is just as good if you can adjust the input.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried specifying Timestamp fields without quotes?

---
If this reply helps you, Karma would be appreciated.
0 Karma

faramarz
Path Finder

Yes, doesn't work

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I wonder if "Timestamp format" and "Timestamp fields" are conflicting. Have you tried leaving the format field empty?

---
If this reply helps you, Karma would be appreciated.
0 Karma

faramarz
Path Finder

Tried unsuccessfully. I've tried a bunch of different variations and none seem to work

0 Karma

nnmiller
Contributor

Any chance you can put your header line and a couple of lines of the CSV into a pastebin or gist?

0 Karma

gcato
Contributor

Not sure If you've already got this working but the problem looks to be the comma in the TIME_FORMAT. Since you've told SPlunk the date stamp fields already you do not need to use a comma. So it should look like the following instead.

TIMESTAMP_FIELDS = Month, Year
TIME_FORMAT = %B %Y

or, even TIME_FORMAT = %B%n%Y, where %n is for whitespace.

Hope this helps.

0 Karma

gcato
Contributor

Hi faramarz, did you get this working? What was the solution?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...