timestamp equals to none for CSV file [ unable to ...

mmekroud · ‎07-21-2016

Hello,
I am trying to get splunk to parse the timestamps properly in my CSV, II Here are the first lines of the CSV :

FIELD1;FIELD2;FIELD3;FIELD4;FIELD5;FIELD6;FIELD7;FIELD8;FIELD9;FIELD10;DATE
LM649357315;;3L00053;;SSL;DIRAH;1;0;0;0;03/06/2016
DR49JJ54362908;;5B00206;;RRM;KINO;26;1;0;2;03/06/2016

When i apply my props.conf and transforms.conf, the fields are getting right, but the timestamp still none, and _time field get the indexed time period

could you please help me in this case,

props.conf
[source::.../my_csv_file.csv]

INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_PREFIX=^([^;]*;){10}
TIMESTAMP_FIELDS = DATE
TIME_FORMAT = %d/%m/%Y
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

Report-1 = data_extract

transforms.conf
[data_extract]
DELIMS = ";"
FIELDS = "FIELD1";"FIELD2";"FIELD3";"FIELD4";"FIELD5";"FIELD6";"FIELD7";"FIELD8";"FIELD9";"FIELD10";"DATE"

thanks in advance,

regards,
mm

jeffland · ‎09-03-2016

You should omit TIME_PREFIX for csv data. By giving TIMESTAMP_FIELDS, you're already pointing to where the timestamp should be read as %d/%m/%Y.

timestamp equals to none for CSV file [ unable to get a date field as a timestamp]

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms