Splunk Enterprise

How to set _time from a field in the csv file?

Juan_Leon
Explorer

I am playing with the  "add data" uploading a csv file. In the set source type screen I am trying to find how to use one of the fields to set the _time value.  The field content is the following "10. Hour Jan 1, 2022"

Using the advance settings "Timestamp fields" <Field Name> does not seem to work. 

 

any suggestions. 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

If "10,Hour" represents the hour of the day then this should get you a time

TIME_FORMAT = %H.Hour %b %d, %Y

You'll also need to specify the delimiter

FIELD_DELIMITER = ;
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Assuming you set INDEXED_EXTRACTIONS = csv then TIMESTAMP_FIELDS is what you should use.  However, you also will need TIME_FORMAT.  The value of TIME_FORMAT depends on how we should interpret the example content.  Is "10.Hour" literal text or some representation of time of day?  If the former then is there another field with time of day in it?  If there is no time information then use this setting

TIME_FORMAT = 10.Hour %b %d, %Y
---
If this reply helps you, Karma would be appreciated.

Juan_Leon
Explorer

@richgalloway  thank you for your response.  a follow up question, is it possible to format "10.Hour" into "10:00:00"  unfortunately the column that has the date and time is not being used to set the _time and instead uses the ingestion time that is few days later. 

example: Event is ";" delimited

3/15/23 04:22:07.000 PM

rich  galloway;12345;Access;splunk trust;15. Hour Mar 10, 2023;abc

 

 

Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If "10,Hour" represents the hour of the day then this should get you a time

TIME_FORMAT = %H.Hour %b %d, %Y

You'll also need to specify the delimiter

FIELD_DELIMITER = ;
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...