I have 3 environments:
Laptop - Splunk 6.5.0
Test - Splunk 6.4.3
Prod - Splunk 6.3.2
In the first two environments, I am able to pull in a csv nightly and grab the timestamp from the first comma-separated field (in epoch form)
My props.conf:
[status_csv]
HEADER_FIELD_LINE_NUMBER = 1
INDEXED_EXTRACTIONS = csv
TIME_FORMAT = %s
TIMESTAMP_FIELDS = collection_time
MAX_TIMESTAMP_LOOKAHEAD = 11
KV_MODE = none
SHOULD_LINEMERGE = false
Sample data:
collection_time,src_host,APstat,def_date,def_version,foo,bar,foobar
1476691203,xxx-osx1010-3,On,2016-10-16 00:00:00.000,2016-10-16 rev. 022,No,local,Not installed
And yet when I push these configs to our PROD indexer cluster, the extractions are created, but Splunk always stamps _time with the time that the event was indexed. ( Whereas, in both my Splunk free environment on my laptop and our UAT environment ( similar to Prod, just smaller and now running 6.4.3 ), the timestamp is appropriately extracted from the 'collection_time' field in the csv )
Either something must be overriding the props I've pushed, or something in the configuration is wrong.
↧