Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

get timestamp from filename

olivier_romain
Engager
‎12-07-2012 09:19 AM

hello,

I am trying to retreive timestamp from filename. I have files named like

"disco_20120531.txt"

with content looking like:

"net0 family 'Web' application 'videosurf' path 'base.eth.8021q.ip.gre.ppp.ip.tcp.http.videosurf' rate 0 totbytes 25664 nb_packet 231 nb_uapp_cnx 25"

I try to set timestamp from filename "disco_20120531.txt" to 31/05/2012

However I couldn't make it. My app props.conf :

[source::/root/data/disco/daily/*]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1
TIME_PREFIX = disco_
TIME_FORMAT = %Y%m%d

This config works if the filename is added to the file content, but otherwise not. Time stamp is not found and splunk uses file mod time instead.

Does anyone has got an idea what's wrong?

Thanks in advance,

Olivier

Tags (3)
Reply

lguinn2
Legend
‎12-08-2012 06:29 PM

From the Splunk documentation here

"4. If no events in a source have a date, Splunk tries to find one in the source name or file name. (This requires that the events have a time, even though they don't have a date.)"

TIME_PREFIX and TIME_FORMAT are not used when parsing the date in a file name. They apply only when extracting the timestamp from an event.

Bottom line: Splunk will use your file modification date/time. I don't know any way around this, but perhaps someone else on this forum does. Or you could open a support ticket... The best option, if possible, is to add a full timestamp to every event.

Reply

marcoscala
Builder
‎05-15-2014 03:25 AM

Hi Lisa,
I have the same problem too in Splunk 6.1, as many others, for a quite important prospect. I also had as last resort the idea of adding at the beginning of the _raw data the timestamp extracted from the source file, with date and time of the generation of the informations.

I only have a doubt: isn't timestamp assigned during the parsing phase before the Custom configurations in props.conf, like transforms and so on? We tried that but with no results...

Regards,
Marco

0 Karma
Reply

olivier_romain
Engager
‎12-26-2012 05:16 AM

Thanks, I did set TIME_PREFIX and TIME_FORMAT so that splunk did not find any ts into the event itself. It does backup on the file update time, which is fine.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...