Hello singhh4, I get 27 files.
Anyways, I followed the directions from http://blogs.splunk.com/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename/ and added the following in /etc/system/local/datetime.xml
> <define name="_combdatetime3" extract="year, ignored_sep, month,ignored_sep1, day,ignored_sep2, hour, ignored_sep3, minute,ignored_sep4, second">
<!-- ... 2016-07-06-08_43_32 ...' -->
<text><![CDATA[(?:^|source::).*?(20\d\d)([-/_])(0\d|1[012])([-/_])([012]?\d|3[01])([-/_])([012]?\d)([-/_])([0-6]?\d)([-/_])([0-6]?\d)]]></text>
</define>
<datePatterns>
.....
<use name="_combdatetime3"/>
</datePatterns>
And as I want each file to be single event I have added the following to the profs.conf file
[mysinglefilesourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ((*FAIL))
TRUNCATE = 99999999
DATETIME_CONFIG = /etc/system/local/datetime.xml
I downloaded a new dataset of 279 files and added it to Splunk. For this dataset too, only 34 events were identified.....
The source file name are of type /Users/ybiyni/Desktop/Work/Text Files/SampleLog-2016-07-01-15_36_11.log . So, looks like I have been unsuccessful in creating the timestamps.....
Any suggestions?
... View more