Hi,
I have a logfile that has timestamps in it, but no date. The name of the logfile has a date - is there anyway to assign the date from the file? I know it would automatically post today's date, but sometimes these files show up late, so I'd like to extract it.
Format:
ORS_RTP_Node1_BK.20150107_133125_493.log
Yes, it can be done.
Check out the discussion and documentation regarding using datetime.xml to do this:
http://answers.splunk.com/answers/12015/setting-date-on-event-based-on-filename.html
(there is some bad formatting on the config code but you should get the idea)
http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Configuretimestamprecognition