Solved: Does Splunk use alphabetical order for datetime.xm...

anoopambli · ‎07-16-2018

Is there a sequence Splunk uses (like alphabetical order) for datetime.xml ? As an example, time pattern "use_this-last" should be used only last:

   <use name="use_this_first"/>

   <use name="use_this-second"/> 

   <use name="use_this-last"/>

somesoni2 · ‎07-16-2018

Yes there is. At the bottom on datetime.xml file, you'd find two Patterns blocks named timePatterns and datePatterms. In this you'd find element <use> which defines the order in which the time/date extraction pattern is applied.

e.g. if the timepatterns is like this

<timePatterns>
   <use name="_time"/>
   <use name="_hmtime"/>
...others..
</timePatterns>

Then there will be a <define name="_time".. and <define name="_hmtime".. defined in the datetime.xml file and they are applied in that order (first _time and then _hmtime is applied).

View solution in original post

somesoni2 · ‎07-16-2018

Yes there is. At the bottom on datetime.xml file, you'd find two Patterns blocks named timePatterns and datePatterms. In this you'd find element <use> which defines the order in which the time/date extraction pattern is applied.

e.g. if the timepatterns is like this

<timePatterns>
   <use name="_time"/>
   <use name="_hmtime"/>
...others..
</timePatterns>

Then there will be a <define name="_time".. and <define name="_hmtime".. defined in the datetime.xml file and they are applied in that order (first _time and then _hmtime is applied).

Does Splunk use alphabetical order for datetime.xml parsing?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases