Hello,
I have a csv that is loaded weekly and in the beginning of September, ~20,000 records out of my 90,000 records dropped each week were randomly being assigned the time stamp 3/23/15 11:02:55:300 PM while the rest of the 70,000 records were given the time stamp of when the file was dropped in the auto index. I have no idea why and cannot find that date in my data anywhere. Each week ~20,000 records contain this time stamp, but the number is never consistent.
Below is a copy of my props.conf file for the sourcetype used. Can you help me figure out why this is happening? Or the best way to approach this problem? Thank you!
Also: all of my date_month, date_minute, etc fields only contain the info from 3/23/15 date- none of it from the time stamp given to the 70,000 records that have the time the file was dropped into the auto index.
EXTRACT-extractedEmail = (?i)^(?:[^:]*:){3}\d+,\d+,\w+,\w+,\w+,\w+,(?P[^,]+)
EXTRACT-Number = (?i)^(?:[^,]*,){10}(?P[^,]+)
DATETIME_CONFIG =
NO_BINARY_CHECK = true
disabled = false
↧