I am loading **CSV file without HEADERS** in Splunk. File is getting correctly loaded in Splunk. For column names I have defined ‘FIELD_NAMES’ property in props.conf.
I have set one of the fields from ‘FIELD_NAMES’ as TIMESTAMP_FIELDS, but it is not taking it as _time
My Question is, How can I specify TIMESTAMP_FIELDS in this props.conf for CSV file without HEADERS ?
E.g
Some data in a student file
1. AAA,1001,98, 15:10:05.962 EST Wed Feb 4 2015
2. BBB,1002,87, 15:10:05.962 EST Wed Feb 4 2015
3. CCC,1003,90, 15:10:05.962 EST Wed Feb 4 2015
inputs.conf
1. [monitor:///daya01/student]
2. sourcetype=stu
3.
props.conf
1. [stu]
2. SHOULD_LINEMERGE = false
3. FIELD_NAMES = name,id,marks, joining_time
4. **TIMESTAMP_FIELDS = joining_time**
What value should i set to TIMESTAMP_FIELDS ?
↧