Getting Data In

Why are events indexing with the wrong time stamp

New Member

Hi,

A csv file has the format dd-mm-year hh:mm. Splunk swap the day and month for the events for the first 9 days of a month.
For example an event with a date 09-10-2019 05:05 (9 October 2019) is indexed as 10/9/19 (10 September 2019).
But an event with a date 11-10-2019 05:05 (11 October 2019) is right indexed as 10/11/19 (11 October 2019)

Here is an example of a csv file for the 10 September 2019:
"10-09-2019 05:05","PG","PER","2","2"
"10-09-2019 05:05","DG","USA","1","3"

It's indexed in the month of October the 9th 2019 instead of September 10th 2019:
TIME (M/D/Y) | EVENT (D/M/Y)
10/9/19 | 10-09-2019 05:05,PG,PER,2,2
5:30:00:000 AM
10/9/19 | 10-09-2019 05:05,DG,USA,1,3
5:30:00:000 AM

props.conf :

[csv_inv]
SEDCMD-removeDoubleQuotes= s/\"//g
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
NO_BINARY_CHECK = true
category = Structured
pulldown_type = 1
TIME_PREFIX = ^
TIME_FORMAT = %d-%m-%Y %H:%M

Can anyone help me with this?
Thanks.

0 Karma
1 Solution

Legend

Hi acceopurch,
as suggested by @richgalloway, at first, use the correct `TIME
PREFIX = ^\"`

Then, where is this props.conf?
Usually it must be on Indexers, but when you ingest csv files it must be also on Universal Forwarders

Ciao.
Giuseppe

View solution in original post

0 Karma

Legend

Hi acceopurch,
as suggested by @richgalloway, at first, use the correct `TIME
PREFIX = ^\"`

Then, where is this props.conf?
Usually it must be on Indexers, but when you ingest csv files it must be also on Universal Forwarders

Ciao.
Giuseppe

View solution in original post

0 Karma

New Member

Thanks Giuseppe, adding the right TIME_PREFIX = ^\" solved the problem.

Best regards!

0 Karma

SplunkTrust
SplunkTrust

If the CSV file really has quotation marks around each field then the time prefix is incorrect.

TIME_PREFIX = ^"

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Thank you for your help, changing the TIME_PREFIX = ^\" solved the problem.

Best regards!

0 Karma