How can I configure splunk to index or accept the datestamp in the name of directories?
The events only have time stamps.
Example:
drwxr-xr-x 2 test test 57344 May 13 03:35 20120513
drwxr-xr-x 2 test test 57344 May 14 21:21 20120514
drwxr-xr-x 2 test test 57344 May 15 18:31 20120515
I'm having issues when I restart the forwarder and it doesn't recognize the date time in the meta data.
I am assuming that you are getting the date from the directory but the time from the events. You do it like this:
$SPLUNK_HOME/etc/apps/myApp/default/props.conf
DATETIME_CONFIG = /etc/apps/myApp/default/datetime.xml
$SPLUNK_HOME/etc/apps/myApp/default/datetime.xml
<datetime>
<define name="file4date" extract="year, month, day">
<text><![CDATA[source::.*?/(\d{4})(\d{2})(\d{2})/]]></text>
</define>
<define name="event4time" extract="hour, minute, seconds">
<!--This assumes that every event starts like this: "HH:MM:SS" You must change to fit your data!!!-->
<text><![CDATA[^(\d{2}):(\d{2}):(\d{2})]]></text>
</define>
<timePatterns>
<use name="event4time"/>
</timePatterns>
<datePatterns>
<use name="file4date"/>
</datePatterns>
</datetime>