csv timestamp

a212830 · ‎05-27-2012

Hi,

I'm working on adding some csv data into splunk, and while some data looks ok, some other data is being bunched together. I'm wondering if the issue is that my data is 24 hour clock, but the 0-11 hours are appearing as single digits. I have the following in my props.conf:

TIME_FORMAT= %d-%b-%y %H:%M:%S

The data looks like:
26-May-12 23:58:15,APF-US211i-RH-Cpu-0,CPU_Utilization,6.00000000,2
26-May-12 23:58:17,APF-US211i-RH-Cpu-0,CPU_Utilization,6.00000000,32
26-May-12 23:58:49,APF-US211i-RH-Cpu-0,CPU_Utilization,6.00000000,30
26-May-12 23:59:19,APF-US211i-RH-Cpu-0,CPU_Utilization,7.00000000,27
26-May-12 0:09:01,APF-US212i-RH-Cpu-0,CPU_Utilization,2.00000000,338
26-May-12 0:14:39,APF-US212i-RH-Cpu-0,CPU_Utilization,2.00000000,340
26-May-12 0:20:19,APF-US212i-RH-Cpu-0,CPU_Utilization,2.00000000,338
26-May-12 0:25:57,APF-US212i-RH-Cpu-0,CPU_Utilization,2.00000000,338

Any suggestions?

lguinn2 · ‎06-01-2012

I would add this to props.conf

SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 19

This will tell Splunk that your file contains only single-line events. This will definitely stop the "bunching."
It also tells Splunk that your timestamp appears in the first 19 characters of the event. This may not be necessary, but it does make Splunk slightly more efficient.

I don't know if you really need the TIME_FORMAT either - Splunk is usually very good at interpreting timestamps.

csv timestamp

Platform Newsletter Highlights | March 2023

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor