Hi,
I am almost stuck on this for three days now. I am unable to stop indexing of the timestamp from the events. But when I set
` DATETIME_CONFIG = NONE` or `DATETIME_CONFIG = CURRENT`I am unable to the see the fields of csv file. I even explicitly specified the `DELIMS=","` & `FIELDS_NAME="field1","field2","field3"`
below is the details of configuration and sample event: (Commented options are which I have tested but not working still.)
This is my [props.conf][1]
[custom_csv]
DATETIME_CONFIG = NONE
MAX_TIMESTAMP_LOOKAHEAD = 0
SHOULD_LINEMERGE = False
#pulldown_type = true
#INDEXED_EXTRACTIONS = csv
#FIELD_DELIMITER=,
#HEADER_FIELD_DELIMITER=,
#KV_MODE = none
#category = Structured
Sample events:
User ID,First Name,Last Name,Account Enabled,User Locked,Serial Number,Token Type,Token Lost,Token Expiration Date,PIN Type,Token Enabled,Date Last Logged In,Days Since Last Log In
xy111111,Firstname,lastname,Yes,FALSE,xxxxx,myID 200,FALSE,9/30/2016 4:00,code,Yes,11/28/2015 9:13,0
xz000000,first Name,last Name,Yes,FALSE,xxxxxx,myID 700,FALSE,10/31/2016 4:00,code,Yes,7/4/2014 1:37,513
yz222222,firstname,Last Name,Yes,FALSE,xxxxxx,myID 300,FALSE,5/31/2019 4:00,code,Yes,9/9/2014 8:34,445
[1]: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf?utm_source=answers&utm_medium=in-answer&utm_term=props.conf&utm_campaign=refdoc#props.conf.example
Main problem is caused by field Expiration Date field which is in Future and 4:00 is considered as time for the events.
Can anyone shed some light if I am missing something.? Or is it a bug in 6.3.1 we are running the latest version.
Thanks,
↧