Hi All,
I have a CSV file with the below data, trying to push to splunk.
Example -
Thu JUN 24 15:27:52 +08 2021,name1,address1,Thu AUG14 15:27:52 2021,Active
Thu JUN 24 15:27:52 +08 2021,name1,address1,Thu JUN 15 05:15:52 2021,Active
in props i'm using below
[test_app]
SHOULD_LINEMERGE= FALSE
FIELD_DELIMETER=,
HEADER_FIELD_DELIMETER=,
FIELD_NAMES=Time,names,address,creationtime,status
TIMESTAMP_FIELDS=creationtime
TZ=Asia/Singapore
TIME_FORMAT=%a %b %d %H:%M:%S %Y
fourth fields as timestamp, but Splunk not able to push data.
but using the first field in CSV as time field I can able to push data to Splunk using the below stanza
what might be the cause can someone explain.
SHOULD_LINEMERGE= FALSE
FIELD_DELIMETER=,
HEADER_FIELD_DELIMETER=,
FIELD_NAMES=Time,names,address,creationtime,status
TIMESTAMP_FIELDS=Time
TZ=Asia/Singapore
TIME_FORMAT=%d%m%Y%H%M
It looks to me like neither set of props would work. In the second set, the TIME_FORMAT setting is completely wrong for the sample event. It's just a little off in the first instance. What is the INDEX_EXTRACTIONS setting?
I didn't keep any INDEX_EXTRACTIONS setting.
And I know in the second set TIME_FORMAT setting is completely different, but I'm not sure why it is working. Because I can able to push data using the second set.