Splunk Enterprise

Splunk parsing day of year incorrectly?

arechenberg
Explorer

Good day.

I am trying to import a CSV into Splunk and specifying a Timestamp format and it appears Splunk is not calculating the day of year properly.

My data has a column called 'Start Time' with values such as 222/06:00:00 I have specified the timestamp fields as Start Time and the Timestamp format as

%j/%H:%M:%S

Splunk correctly identifies the time but it assumes the day/date starts as today (08/15/2016) instead of the specified day of year in the imported data (e.g. 222 is actually 9 Aug. 2016).

I have tested this conversion by editing my CSV so that one of the rows has 001/06:05:04, which should parse to 01/01/2016 06:05:04.000 but instead parses to 08/15/2016 06:05:04.000

I've tried this data import on both Splunk Light Free (6.4.0) and Splunk Enterprise (6.4.2) and the results are the same.

Is this a problem with my data or with the way Splunk is parsing the day of year value?

Thanks,
Andy

0 Karma
1 Solution

lguinn2
Legend

I believe that @sundareshr is correct:
"You [sic] date format doesn't have a year value. Only has day of the year, which occurs every year. So splunk defaults to current date."

The timestamp format must yield a complete and valid date. A partial date will not work. Here is How Timestamp Assignment Works. So you need to get the year into the date somewhere

View solution in original post

lguinn2
Legend

I believe that @sundareshr is correct:
"You [sic] date format doesn't have a year value. Only has day of the year, which occurs every year. So splunk defaults to current date."

The timestamp format must yield a complete and valid date. A partial date will not work. Here is How Timestamp Assignment Works. So you need to get the year into the date somewhere

arechenberg
Explorer

Thanks for the reply Lisa. That was indeed the issue. I added the year in front as such:

  2016/231/06:00:00

Splunk then parsed the timestamp as expected.

Thanks again!

0 Karma

somesoni2
Revered Legend

The above format does work for me (splunk 6.2.6). Could you share the props.conf you're trying to user, for the sourcetype. (if using Splunk's add data from ui, go to advanced section on left and copy to clipboard).

0 Karma

sundareshr
Legend

You date format doesn't have a year value. Only has day of the year, which occurs every year. So splunk defaults to current date.

Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...