Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

csv timestamp

a212830
Champion
‎05-27-2012 05:13 PM

Hi,

I'm working on adding some csv data into splunk, and while some data looks ok, some other data is being bunched together. I'm wondering if the issue is that my data is 24 hour clock, but the 0-11 hours are appearing as single digits. I have the following in my props.conf:

TIME_FORMAT= %d-%b-%y %H:%M:%S

The data looks like:
26-May-12 23:58:15,APF-US211i-RH-Cpu-0,CPU_Utilization,6.00000000,2
26-May-12 23:58:17,APF-US211i-RH-Cpu-0,CPU_Utilization,6.00000000,32
26-May-12 23:58:49,APF-US211i-RH-Cpu-0,CPU_Utilization,6.00000000,30
26-May-12 23:59:19,APF-US211i-RH-Cpu-0,CPU_Utilization,7.00000000,27
26-May-12 0:09:01,APF-US212i-RH-Cpu-0,CPU_Utilization,2.00000000,338
26-May-12 0:14:39,APF-US212i-RH-Cpu-0,CPU_Utilization,2.00000000,340
26-May-12 0:20:19,APF-US212i-RH-Cpu-0,CPU_Utilization,2.00000000,338
26-May-12 0:25:57,APF-US212i-RH-Cpu-0,CPU_Utilization,2.00000000,338

Any suggestions?

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎06-01-2012 02:12 AM

I would add this to props.conf

SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 19

This will tell Splunk that your file contains only single-line events. This will definitely stop the "bunching."
It also tells Splunk that your timestamp appears in the first 19 characters of the event. This may not be necessary, but it does make Splunk slightly more efficient.

I don't know if you really need the TIME_FORMAT either - Splunk is usually very good at interpreting timestamps.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...