Extracting event date from file path

swdonline · ‎09-04-2011

hello all,

I have a set of log files being created in a directory structure as:
/data/hostname/year/month/day/logfile

I understand that I can use the host_segment command to extract the field. I cannot, however, seem to find a way for splunk to automatically extract the date from this path. Any recommendations would be appreciated.

gelica · ‎07-08-2013

Hi,
Did you ever find a way to do this? 🙂

n0b1ta · ‎04-09-2012

I'm having the same proble,. I'm quite new to splunk.
Can anyone please describe more details ?
How can I setup dynamic directories based on timestamp?

Thanks

Ayn · ‎09-04-2011

While I haven't tried this is a setup of my own, according to the documentation Splunk should be doing this automatically if it cannot find a timestamp for events in a file.

See the precedence rules for how Splunk assigns timestamps to events here: http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps

swdonline · ‎09-05-2011

Thanks Ayn. I did indeed check the docs prior to posting and what I think is the problem is "4. If no events in a source have a date, look in the source (or file) name (Must have time in the event)." Specifically, my events have no timestamps. It's just a summary of items for a 24 hour period. So it seems to be defaulting to #5 or #6. Is there a workaround to force date extraction without timestamps? Or a way to force a timestamp of 00:00 without scripting input?

Extracting event date from file path

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...