Hi,
I am almost stuck on this for three days now. I am unable to stop indexing of the timestamp from the events. But when I set
DATETIME_CONFIG = NONE or DATETIME_CONFIG = CURRENT I am unable to the see the fields of the CSV file. I even explicitly specified the DELIMS="," & FIELDS_NAME="field1","field2","field3"
Below are the details of configuration and sample event: (Commented options are which I have tested, but not working still.)
This is my props.conf (http://docs.splunk.com/Documentation/Splunk/6.3.1511/Admin/Propsconf?utm_source=answers&utm_medium=in-answer&utm_term=props.conf&utm_campaign=refdoc#props.conf.example )
[custom_csv]
DATETIME_CONFIG = NONE
MAX_TIMESTAMP_LOOKAHEAD = 0
SHOULD_LINEMERGE = False
#pulldown_type = true
#INDEXED_EXTRACTIONS = csv
#FIELD_DELIMITER=,
#HEADER_FIELD_DELIMITER=,
#KV_MODE = none
#category = Structured
Sample events:
User ID,First Name,Last Name,Account Enabled,User Locked,Serial Number,Token Type,Token Lost,Token Expiration Date,PIN Type,Token Enabled,Date Last Logged In,Days Since Last Log In
xy111111,Firstname,lastname,Yes,FALSE,xxxxx,myID 200,FALSE,9/30/2016 4:00,code,Yes,11/28/2015 9:13,0
xz000000,first Name,last Name,Yes,FALSE,xxxxxx,myID 700,FALSE,10/31/2016 4:00,code,Yes,7/4/2014 1:37,513
yz222222,firstname,Last Name,Yes,FALSE,xxxxxx,myID 300,FALSE,5/31/2019 4:00,code,Yes,9/9/2014 8:34,445
Main problem is caused by field Expiration Date field which is in Future and 4:00 is considered as time for the events.
Can anyone shed some light if I am missing something.? Or is it a bug in 6.3.1 we are running the latest version.
Thanks,
... View more