Getting Data In

strptime() format for yyyymmddhhmmss?

hiddenkirby
Contributor

strptime() format expression examples

Below are some sample date formats with strptime() expressions that handle them.

1998-12-31 %Y-%m-%d 98-12-31 %y-%m-%d 1998 years, 312 days %Y years, %j days Jan 24, 2003 %b %d, %Y January 24, 2003 %B %d, %Y q|25 Feb '03 = 2003-02-25| q|%d %b '%y = %Y-%m-%d|

does one exist for yyyymmddhhmmss?

my source field will look like this /dir/to/file/on/20100526123445/file.txt

curious if the dynamic date extraction could figure this out.

Tags (1)
0 Karma
1 Solution

Lowell
Super Champion

For extractions from a path, open up the $SPLUNK_HOME/etc/datetime.xml and search for entries prefixed with source::. It doesn't look like one exists right now, but you would probably have to add one. Since your timestamp has no breakers in it (there are no non-digits after the yyyymmmdd portion) then nothing in the source will match, based on the existing rexes in datetime.xml

I see you've had some other questions on this topic. I'm guessing that creating your own datetime.xml and it isn't working. Is that correct? If you post what you've tried someone may be able to help track it down.

And just for the record, the datetime.xml file uses all regexes, and is not a strptime() thing at all.


If you're looking to setup an entry for a TIME_FORMAT entry in a props.conf file? If so, try:

TIME_FORMAT = %Y%m%d%H%M%S

View solution in original post

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

No, it will not get that format, though it might be able to get the date if the timestamps are in the file. If there is nothing in the file that can be misinterpreted as the date (which after all is just a 14-digit number), you may be able to use TIME_FORMAT. Otherwise, you should define a custom datetime.xml file.

0 Karma

Lowell
Super Champion

For extractions from a path, open up the $SPLUNK_HOME/etc/datetime.xml and search for entries prefixed with source::. It doesn't look like one exists right now, but you would probably have to add one. Since your timestamp has no breakers in it (there are no non-digits after the yyyymmmdd portion) then nothing in the source will match, based on the existing rexes in datetime.xml

I see you've had some other questions on this topic. I'm guessing that creating your own datetime.xml and it isn't working. Is that correct? If you post what you've tried someone may be able to help track it down.

And just for the record, the datetime.xml file uses all regexes, and is not a strptime() thing at all.


If you're looking to setup an entry for a TIME_FORMAT entry in a props.conf file? If so, try:

TIME_FORMAT = %Y%m%d%H%M%S
0 Karma

hiddenkirby
Contributor

I tried http://www.splunk.com/base/Documentation/4.1.2/Admin/TrainSplunkToRecognizeATimestamp to help build the regex on "/dir/to/file/on/20100526123445/file.txt" to parse the date fields... but to no avail. I wanted to use that regex for my _masheddate3 in a local datetime.xml for my app. Am i closer?

0 Karma

hiddenkirby
Contributor

I miss understood what TIME_PREFIX did. The closer i look at the results of the indexing ... i notice it didn't work. There were a bunch of coincidental matches on information w/in the file. 😕

0 Karma

Lowell
Super Champion

Is the name (full path) of the log file stored within the log file itself? I didn't think you could use a TIME_PREFIX to match against source.

0 Karma

hiddenkirby
Contributor

if it was /home/kirb/logs/20100521123456/file.txt TIME_PREFIX=\/logs\/ TIME_FORMAT=%Y%m%d%H%M%S

0 Karma

hiddenkirby
Contributor

this worked... HOWEVER... it only worked if i specified TIME_PREFIX.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

You should use something like %Y%m%d%H%M%S

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...