I am having a strange problem with importing a csv file. So far all files worked, but from a specific production machine we have the parts from the timestamp are separated by a semicolon (Year;Month;Day;Hour...) from an Excel file like this:
The auto time stamp recognition does not work and assigns the present actual time stamp. Can I tell splunk that in each CSV the first 5 columns (or separated fields) are the timestamp? Btw: When importing the csv Splunk does not display it in the preview in the right order. Could that mean anything?
Thanks again in advance, during this week this community helped me a lot!
A little tricky, but it did work for me. It also doesn't make much sense, but sometimes it doesn't have to if it works. The TIME_FORMAT is applied after the TIMESTAMP_FIELDS and FIELD_DELIMITER, so it is confusing.