Hello,
I need to load a number of historical CSV files that don't have timestamps fields.
When I load it with CLI oneshot command,
`% /opt/splunk/bin/splunk add oneshot my-csv-$DATE.csv -sourcetype "my-csv-type" -index my_index `
the data rows get the timestamp at the time of indexing. But when I use the web ui, I get a warning triangle but the rows have timestamps of the file's modtime.
I couldn't find any documentation on how to force modtime time stamp oneshot extraction with CLI.
Does anyone have any pointers?
Thanks,
David
Update:
Now with web-ui I'm not getting consistent timestamps - in preview, the timestamps on the rows are from source file's modtime but after indexing they are from current time during indexing...
↧