- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to extract date from filename and add it with ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have log files with names like: " my-file-log1.2017-07-25.name.log"
The events in the log are like this:
060047.342061Z INFO ASDFTestStatusMsg::eval: Passed(123/567892)
The time format in the events is: HHmmss.SSSSSS or HHmmss.SSS
Requirement is to add the date from filename into all the events at index time.
I also need help in converting the time into proper timestamp.
any solutions suggested?
Thanks,
Bharath
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Niket, your clue helped us resolve the issue.
in your props.conf, []
TIME_FORMAT=%H%M%S.%6N
we had also problem in filename, that we fixed.
-Bharath
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Niket, your clue helped us resolve the issue.
in your props.conf, []
TIME_FORMAT=%H%M%S.%6N
we had also problem in filename, that we fixed.
-Bharath
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@bkumarm, glad it worked. Please up vote the comment if it helped.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see that the http://docs.splunk.com/Documentation/Splunk/6.3.4/Data/HowSplunkextractstimestamps
says it does by default. but it is not working for me
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So when you search this data you do not get the fields
date_hour
date_mday
date_minute
etc?
Does adding this to your search add a new field named "indextime" ?
| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@bkumarm, in your props.conf, have you extracted only the time from your logs? If you have not as it is mentioned in the documentation Splunk will default time to file modified timestamp. If you extract the time properly, Splunk should be able to pull the date from the filename. Proper time format seems to be following:
[<yourSourceTypeName>]
TIME_FORMAT=%H%M%S.%6N
Please try out and confirm.
| makeresults | eval message= "Happy Splunking!!!"
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
