Splunk Enterprise

Splunk parsing day of year incorrectly?

arechenberg
Explorer

Good day.

I am trying to import a CSV into Splunk and specifying a Timestamp format and it appears Splunk is not calculating the day of year properly.

My data has a column called 'Start Time' with values such as 222/06:00:00 I have specified the timestamp fields as Start Time and the Timestamp format as

%j/%H:%M:%S

Splunk correctly identifies the time but it assumes the day/date starts as today (08/15/2016) instead of the specified day of year in the imported data (e.g. 222 is actually 9 Aug. 2016).

I have tested this conversion by editing my CSV so that one of the rows has 001/06:05:04, which should parse to 01/01/2016 06:05:04.000 but instead parses to 08/15/2016 06:05:04.000

I've tried this data import on both Splunk Light Free (6.4.0) and Splunk Enterprise (6.4.2) and the results are the same.

Is this a problem with my data or with the way Splunk is parsing the day of year value?

Thanks,
Andy

0 Karma
1 Solution

lguinn2
Legend

I believe that @sundareshr is correct:
"You [sic] date format doesn't have a year value. Only has day of the year, which occurs every year. So splunk defaults to current date."

The timestamp format must yield a complete and valid date. A partial date will not work. Here is How Timestamp Assignment Works. So you need to get the year into the date somewhere

View solution in original post

lguinn2
Legend

I believe that @sundareshr is correct:
"You [sic] date format doesn't have a year value. Only has day of the year, which occurs every year. So splunk defaults to current date."

The timestamp format must yield a complete and valid date. A partial date will not work. Here is How Timestamp Assignment Works. So you need to get the year into the date somewhere

arechenberg
Explorer

Thanks for the reply Lisa. That was indeed the issue. I added the year in front as such:

  2016/231/06:00:00

Splunk then parsed the timestamp as expected.

Thanks again!

0 Karma

somesoni2
Revered Legend

The above format does work for me (splunk 6.2.6). Could you share the props.conf you're trying to user, for the sourcetype. (if using Splunk's add data from ui, go to advanced section on left and copy to clipboard).

0 Karma

sundareshr
Legend

You date format doesn't have a year value. Only has day of the year, which occurs every year. So splunk defaults to current date.

Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...