Solved: PROPS Conf with CSV File

SplunkDash · ‎08-15-2021

Hello,

I wrote a PROPS Configuration file for following csv file but getting error message. Any help will be highly appreciated. Thank you so much.

[ csv ]

SHOULD_LINEMERGE=false

CHARSET=UTF-8

INDEXED_EXTRACTIONS=csv

TIME_FORMAT=%Y%m%d %H:%M:%S:%Q

HEADER_FIELD)LINE_NUMBER=1

TIMESTAMP_FIELDS=TIMESTAMP

category=Structured

venkatasri · ‎08-15-2021

@SplunkDash try below you have to deploy them to UF.

[ csv ]
SHOULD_LINEMERGE=false
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
TIME_FORMAT=%Y%m%d %H:%M:%S:%3Q
HEADER_FIELD_LINE_NUMBER=1
TIMESTAMP_FIELDS=TIMESTAMP
category=Structured

View solution in original post

venkatasri · ‎08-15-2021

@SplunkDash try below you have to deploy them to UF.

[ csv ]
SHOULD_LINEMERGE=false
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
TIME_FORMAT=%Y%m%d %H:%M:%S:%3Q
HEADER_FIELD_LINE_NUMBER=1
TIMESTAMP_FIELDS=TIMESTAMP
category=Structured

SplunkDash · ‎08-15-2021

Thank you so much. But, still getting error message...Failed to parse timestamp!!!

venkatasri · ‎08-15-2021

@SplunkDash Your field name in CSV seems TimeStamp (camel case), what you have set TIMESTAMP_FIELDs = TIMESTAMP (caps) can you correct it to match with CSV header names.

SplunkDash · ‎08-15-2021

oops ...😀 cool working as expected, thank you so much, appreciated!!!

PROPS Conf with CSV File

regex

Splunk Forwarders and Forced Time Based Load Balancing

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!