Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timestamp creation- index time from csv file
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sidhantbhayana
Path Finder
01-30-2018
10:41 PM
Hi All,
I have a situation where the data is in csv format and first two columns have date and time information, my requirement is to create _time using both columns during indexing.
Sample Logs:
012518,12:34:41:163,1
012618,16:04:42:100,10
I am facing problems in creating configs for the same.
_
Regards,
Sidhant
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-30-2018
11:25 PM
hey,
Just assign below in inputs.conf wherever your monitor stanza is!
[<your_monitor_stanza>]
index = <your_index>
sourcetype = csv
Let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-30-2018
11:25 PM
hey,
Just assign below in inputs.conf wherever your monitor stanza is!
[<your_monitor_stanza>]
index = <your_index>
sourcetype = csv
Let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sidhantbhayana
Path Finder
01-30-2018
11:40 PM
It helps @mayurr98 , but I have a custom sourcetype, although I could find the solution: TIME_FORMAT=%m%d%y,%H:%M:%S:%3N
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-30-2018
11:45 PM
yeah, if you have a custom sourcetype then TIME_FORMAT=%m%d%y,%H:%M:%S:%3N this would do!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HiroshiSatoh
Champion
01-30-2018
11:18 PM
DATE,TIME,COUNT
012518,12:34:41:163,1
012618,16:04:42:100,10
Can you retrieve it with data source CSV? In my environment _time has been set without any particular settings.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sidhantbhayana
Path Finder
01-30-2018
11:38 PM
Yes, correct! This is because you are using default sourcetype(csv). I have a custom sourcetype.
Get Updates on the Splunk Community!
.conf25 Registration is OPEN!
Ready. Set. Splunk!
Your favorite Splunk user event is back and better than ever. Get ready for more technical ...
Detecting Cross-Channel Fraud with Splunk
This article is the final installment in our three-part series exploring fraud detection techniques using ...
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
