Getting Data In
Highlighted

When importing a CSV in Splunk Web, how do I automatically extract values from "Month" and "Year" fields into the _time field?

Path Finder

Hi!

I'm in the middle of importing a CSV using the Splunk GUI and am attempting to extract, from two different fields titled Month and Year, the date in which the timestamp should correlate.

The first field is titled Month and contains the month of the input, and the second is titled Year and contains the Year of the input. Basically, I want to extract that information into the _time field automatically. Is this possible? An example would be "October" in the Month field and "2015" in the Year field. It doesn't seem to recognize that it should be extracting from both fields and combining the information. Thanks for the help! alt text

0 Karma
Highlighted

Re: When importing a CSV in Splunk Web, how do I automatically extract values from "Month" and "Year" fields into the _time field?

SplunkTrust
SplunkTrust

Have you tried specifying Timestamp fields without quotes?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: When importing a CSV in Splunk Web, how do I automatically extract values from "Month" and "Year" fields into the _time field?

Path Finder

Yes, doesn't work

0 Karma
Highlighted

Re: When importing a CSV in Splunk Web, how do I automatically extract values from "Month" and "Year" fields into the _time field?

SplunkTrust
SplunkTrust

I wonder if "Timestamp format" and "Timestamp fields" are conflicting. Have you tried leaving the format field empty?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: When importing a CSV in Splunk Web, how do I automatically extract values from "Month" and "Year" fields into the _time field?

Path Finder

Tried unsuccessfully. I've tried a bunch of different variations and none seem to work

0 Karma
Highlighted

Re: When importing a CSV in Splunk Web, how do I automatically extract values from "Month" and "Year" fields into the _time field?

Contributor

Any chance you can put your header line and a couple of lines of the CSV into a pastebin or gist?

0 Karma
Highlighted

Re: When importing a CSV in Splunk Web, how do I automatically extract values from "Month" and "Year" fields into the _time field?

Contributor

Not sure If you've already got this working but the problem looks to be the comma in the TIME_FORMAT. Since you've told SPlunk the date stamp fields already you do not need to use a comma. So it should look like the following instead.

TIMESTAMP_FIELDS = Month, Year
TIME_FORMAT = %B %Y

or, even TIME_FORMAT = %B%n%Y, where %n is for whitespace.

Hope this helps.

0 Karma
Highlighted

Re: When importing a CSV in Splunk Web, how do I automatically extract values from "Month" and "Year" fields into the _time field?

Contributor

Hi faramarz, did you get this working? What was the solution?

0 Karma
Highlighted

Re: When importing a CSV in Splunk Web, how do I automatically extract values from "Month" and "Year" fields into the _time field?

Path Finder

Got it working by just running a script to change the fields into a conglomerated field so it looked like "October 1 2015" etc. Don't think it's possible with only a month and year field.

View solution in original post

0 Karma
Highlighted

Re: When importing a CSV in Splunk Web, how do I automatically extract values from "Month" and "Year" fields into the _time field?

Contributor

Thanks for the update. I've tested my solution on 6.3 and it definitely works okay with month and years fields. But your method is just as good if you can adjust the input.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.