date and month recognition from soruce file name f...

realajay89 · ‎10-06-2014

i am trying to implement Time picker for my dashboard . the dashboard gives monthly statistics .
my source data doesn't have any date or month or any timestamp ..
my source file name is " BTM_Net_July.csv" and BTM_Net_august.csv"
now as i select date ranges in splunk . i would like to get the results on the dashboard for that particular month.
i want the timepicker to pick the date from the source filename .
how is it possible . can anyone guide me .
Thanks

theouhuios · ‎10-06-2014

You can write a search to populate that. basically a rex should do it .

When the data is indexed is splunk placing the timestamp? There will be a _time value which will denote the time of the event ( In your case its very likely that splunk places the timestamp of when the file was indexed instead of the _time of event). So if a file in july has been indexed in Aug it might place the date in Aug when the file has been indexed as the _time value.

Coming back to rex

<| rex field=source "BTM_NET_(?\w+)\.">

will give you the month. To limit the data to this you might want to do this if the _time value becomes an issue.

   sourcetype=<yoursourcetype> source=*$Month$.csv | <remainingsearch>

date and month recognition from soruce file name for timepicker implementation

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!