Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are events indexing with the wrong time stamp

acceo_purch
New Member
‎10-11-2019 11:50 AM

Hi,

A csv file has the format dd-mm-year hh:mm. Splunk swap the day and month for the events for the first 9 days of a month.
For example an event with a date 09-10-2019 05:05 (9 October 2019) is indexed as 10/9/19 (10 September 2019).
But an event with a date 11-10-2019 05:05 (11 October 2019) is right indexed as 10/11/19 (11 October 2019)

Here is an example of a csv file for the 10 September 2019:
"10-09-2019 05:05","PG","PER","2","2"
"10-09-2019 05:05","DG","USA","1","3"

It's indexed in the month of October the 9th 2019 instead of September 10th 2019:
TIME (M/D/Y) | EVENT (D/M/Y)
10/9/19 | 10-09-2019 05:05,PG,PER,2,2
5:30:00:000 AM
10/9/19 | 10-09-2019 05:05,DG,USA,1,3
5:30:00:000 AM

props.conf :

[csv_inv]
SEDCMD-removeDoubleQuotes= s/\"//g
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
NO_BINARY_CHECK = true
category = Structured
pulldown_type = 1
TIME_PREFIX = ^
TIME_FORMAT = %d-%m-%Y %H:%M

Can anyone help me with this?
Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-12-2019 07:29 AM

Hi acceo_purch,
as suggested by @richgalloway, at first, use the correct TIME_PREFIX = ^\"

Then, where is this props.conf?
Usually it must be on Indexers, but when you ingest csv files it must be also on Universal Forwarders

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-12-2019 07:29 AM

Hi acceo_purch,
as suggested by @richgalloway, at first, use the correct TIME_PREFIX = ^\"

Then, where is this props.conf?
Usually it must be on Indexers, but when you ingest csv files it must be also on Universal Forwarders

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

acceo_purch
New Member
‎10-14-2019 10:19 AM

Thanks Giuseppe, adding the right TIME_PREFIX = ^\" solved the problem.

Best regards!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-11-2019 01:43 PM

If the CSV file really has quotation marks around each field then the time prefix is incorrect.

TIME_PREFIX = ^"

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

acceo_purch
New Member
‎10-14-2019 10:17 AM

Thank you for your help, changing the TIME_PREFIX = ^\" solved the problem.

Best regards!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...