Solved: Timestamp creation- index time from csv file

sidhantbhayana · ‎01-30-2018

Hi All,

I have a situation where the data is in csv format and first two columns have date and time information, my requirement is to create _time using both columns during indexing.

Sample Logs:
012518,12:34:41:163,1
012618,16:04:42:100,10

I am facing problems in creating configs for the same.

_
Regards,
Sidhant

mayurr98 · ‎01-30-2018

hey,

Just assign below in inputs.conf wherever your monitor stanza is!

[<your_monitor_stanza>]
index = <your_index>
sourcetype = csv

Let me know if this helps!

View solution in original post

mayurr98 · ‎01-30-2018

hey,

Just assign below in inputs.conf wherever your monitor stanza is!

[<your_monitor_stanza>]
index = <your_index>
sourcetype = csv

Let me know if this helps!

sidhantbhayana · ‎01-30-2018

It helps @mayurr98 , but I have a custom sourcetype, although I could find the solution: TIME_FORMAT=%m%d%y,%H:%M:%S:%3N

mayurr98 · ‎01-30-2018

yeah, if you have a custom sourcetype then TIME_FORMAT=%m%d%y,%H:%M:%S:%3N this would do!

HiroshiSatoh · ‎01-30-2018

DATE,TIME,COUNT
012518,12:34:41:163,1
012618,16:04:42:100,10

Can you retrieve it with data source CSV? In my environment _time has been set without any particular settings.

sidhantbhayana · ‎01-30-2018

Yes, correct! This is because you are using default sourcetype(csv). I have a custom sourcetype.

Timestamp creation- index time from csv file

Thanks for the Memories! Splunk University, .conf24, and Community Connections

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...