Hello,
We have a CSV file which is flat file. It has a column named 'RUNDATE' where the date is in '2016-04-20' format.
Currently, Splunk indexes all the lines in this CSV as time modified of the CSV file.
Is there a way to configure Splunk to read the RUNDATE value and set that as the event time? Below is how the sourcetype is configured on indexer's props.conf
[uow_csv]
SHOULD_LINEMERGE = false
INDEXED_EXTRACTIONS = csv
MAX_TIMESTAMP_LOOKAHEAD=11
HEADER_FIELD_LINE_NUMBER = 1
HEADER_FIELD_DELIMITER = ,
TIMESTAMP_FIELDS = RUNDATE
TIME_FORMAT = %Y-%m-%d
MAX_TIMESTAMP_LOOKAHEAD=11
↧