×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
jaware_splunk
Splunk Employee
Member since: ‎05-04-2020
‎04-07-2021
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-04-2020
View All

Re: CSV date being replaced/not parsed correctly

by Splunk Employee in Getting Data In
‎05-04-2020 01:23 PM
‎05-04-2020 01:23 PM
Here's an example. Download the Max dataset from here: https://www.nasdaq.com/market-activity/stocks/amd/historical Note it doesn't have the timestamp, so a new column was added with 16:00:00 (end of market close) called Time. I used the default CSV sourcetype as a test and same issue. Test search (All time): source="filename.csv" index="test" | timechart values("Close/Last") span=1d Around 2014 starts mis-parsing (Statistics tab -> click on date -> view events -> _time is different than the event date). ... View more

Re: CSV date being replaced/not parsed correctly

by Splunk Employee in Getting Data In
‎05-04-2020 11:58 AM
‎05-04-2020 11:58 AM
Same result. It parses from Nov 2014 - today properly. But for some reason prior to Nov 2014 it doesn't. ... View more

Re: CSV date being replaced/not parsed correctly

by Splunk Employee in Getting Data In
‎05-04-2020 11:35 AM
‎05-04-2020 11:35 AM
So this happens when using the default csv sourcetype as well as a custom one. Here's the custom one: BREAK_ONLY_BEFORE_DATE = DATETIME_CONFIG = INDEXED_EXTRACTIONS = csv KV_MODE = none LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true SHOULD_LINEMERGE = false TIME_FORMAT = %Y-%m-%d %H:%M:%S category = Structured description = Comma-separated value format. Set header and other settings in "Delimited Settings" disabled = false pulldown_type = true ... View more

CSV date being replaced/not parsed correctly

by Splunk Employee in Getting Data In
‎05-04-2020 08:23 AM
‎05-04-2020 08:23 AM
Let's say I have a CSV with the following spanning 10 years: Date | Time | Value 2020-05-01 4:00:00 PM 49.88 If I try to do a timechart it works fine for the last several years but if I select All Time then it incorrectly parses the timestamp and groups multiple days worth of values in a single day: _time | values(Close) 2014-11-12 | 1.86 1.87 1.88 1.92 If I view the events, the parsed timestamp is incorrect now, but only for really old events: Time (Splunk parsed): 11/12/14 4:00:00.000 PM Full Event: 2010-05-04,4:00:00 PM,8.68,46458590,9.08,9.08,8.54 Time (Splunk parsed): 11/12/14 4:00:00.000 PM Full Event: 2010-05-26,4:00:00 PM,8.22,37479000,8.39,8.59,8.18 I did this with the built-in CSV sourcetype as well as custom. Thanks for any help! EDIT: Here's an example. Download the Max dataset from here: https://www.nasdaq.com/market-activity/stocks/amd/historical Note it doesn't have the timestamp, so a new column was added with 16:00:00 (end of market close) called Time. I used the default CSV sourcetype as a test and same issue. Test search (All time): source="filename.csv" index="test" | timechart values("Close/Last") span=1d Around 2014 starts mis-parsing (Statistics tab -> click on date -> view events -> _time is different than the event date). ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-07-2021 02:51 PM