I'm having problems with a remote file import using a forwarder, where the file time date stamp is in UK format dd/mm/yyyy 17:00:00 and the first field in the CSV is also dd/mm/yyy 17:00:00 but the first entry for all items in splunk is in mm/dd/yyyy format.
Problem is that when I do a search on this csv in splunk, the file date stamps are not indexing correctly. See below. Todays entries are coming out of the splunk index as February. (csv file only now contains entries for today in it)
10/02/2012 17:32:14.000 02/10/2012 17:32:14,fred.blogs,,,,,,,,,,,
First column in the search is incorrect and the date splunk seems to be indexing on. Second date is correct and as per the CSV file.
I've seen some posts that talk about changing the prop.conf file here's what i've added to the CSV section of e:\Program File\Splunk\etc\system\default\prop.conf
--------------------cut-----------------------
# NON-LOG FILES
[source::....(jar)(.\d+)?]
sourcetype = source_archive
[source::....(css|htm|html|sgml|shtml|template)]
sourcetype = web
[source::....csv]
sourcetype = csv
TIME_FORMAT=%m/%d/%Y %H:%M:%S
--------------------cut-----------------------
This hasn't fixed my problem. So I've either edited the wrong file or I've added the wrong format info or both.
Any body know how I can fix this issue? I'm stumped.
The confusing thing is that this was working when the csv had loads of data in it, going back several months. I was about to go into production so I flattened all the logs to start with clean data using
.\splunk clean
All my files now only have from today in them.
My other log files from syslog and ais are working fine it's just this csv that's causing problems. I guess there isn't enough data in the new file for the system to auto detect correct date format.
Cheers
Simon
... View more