Solved: PROPS Conf with CSV File

SplunkDash · ‎08-15-2021

Hello,

I wrote a PROPS Configuration file for following csv file but getting error message. Any help will be highly appreciated. Thank you so much.

[ csv ]

SHOULD_LINEMERGE=false

CHARSET=UTF-8

INDEXED_EXTRACTIONS=csv

TIME_FORMAT=%Y%m%d %H:%M:%S:%Q

HEADER_FIELD)LINE_NUMBER=1

TIMESTAMP_FIELDS=TIMESTAMP

category=Structured

venkatasri · ‎08-15-2021

@SplunkDash try below you have to deploy them to UF.

[ csv ]
SHOULD_LINEMERGE=false
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
TIME_FORMAT=%Y%m%d %H:%M:%S:%3Q
HEADER_FIELD_LINE_NUMBER=1
TIMESTAMP_FIELDS=TIMESTAMP
category=Structured

View solution in original post

venkatasri · ‎08-15-2021

@SplunkDash try below you have to deploy them to UF.

[ csv ]
SHOULD_LINEMERGE=false
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
TIME_FORMAT=%Y%m%d %H:%M:%S:%3Q
HEADER_FIELD_LINE_NUMBER=1
TIMESTAMP_FIELDS=TIMESTAMP
category=Structured

SplunkDash · ‎08-15-2021

Thank you so much. But, still getting error message...Failed to parse timestamp!!!

venkatasri · ‎08-15-2021

@SplunkDash Your field name in CSV seems TimeStamp (camel case), what you have set TIMESTAMP_FIELDs = TIMESTAMP (caps) can you correct it to match with CSV header names.

SplunkDash · ‎08-15-2021

oops ...😀 cool working as expected, thank you so much, appreciated!!!

PROPS Conf with CSV File

regex

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases