https://community.splunk.com/t5/Getting-Data-In/How-to-apply-source-file-date-using-INGEST-as-Time/m-p/596865#M104191 <P>Sorry for the delay in responding, the setting is not applied, and it appears in N/NaN/NaN form in the time file during the test.</P><P>And I want to format %Y/%m/%d %T</P> Mon, 09 May 2022 01:38:46 GMT noott211 2022-05-09T01:38:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-apply-source-file-date-using-INGEST-as-Time/m-p/596328#M104124 <P>There's no time in my log<BR /><BR />You want to extract the source file date using the INGEST command</P> <P>Source name &nbsp;/var/log/data_20220507.log</P> <P>How can I add random time after the date over there?<BR /><BR />i want _time = 2022/05/07 11:23:22.2<BR /><BR />I would appreciate it if you could tell me the settings of Props.conf transforms.conf<BR /><BR /></P> Wed, 04 May 2022 04:48:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-apply-source-file-date-using-INGEST-as-Time/m-p/596328#M104124 noott211 2022-05-04T04:48:32Z https://community.splunk.com/t5/Getting-Data-In/How-to-apply-source-file-date-using-INGEST-as-Time/m-p/596351#M104125 <P>Hi</P><P>FIXED: 2023-05-25</P><P>&nbsp;</P><P>you can try something like this</P><P>props.conf</P><P>&nbsp;</P><LI-CODE lang="markup">[source::/var/log/data_*.log] TRANSFORMS-set_time = set_time</LI-CODE><P>&nbsp;</P><P>transforms.conf</P><P>&nbsp;</P><LI-CODE lang="markup">[set_time] INGEST_EVAL = _time = strptime(replace(source, ".*/data_(\d{8}).*","\1") + tostring(random() % 86400,"duration"),"%Y%m%d%H:%M:%S")</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Or test in GUI:</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval source="/var/log/data_20220507.log" | fields - _time ``` above set test data ``` | eval _time = strptime(replace(source, ".*/data_(\d{8}).*","\1") + tostring(random() % 86400,"duration"),"%Y%m%d%H:%M:%S")</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I haven't tested those files, just in GUI, so there could be some mistakes, but &nbsp;base idea is working.</P><P>&nbsp;r. Ismo</P> Thu, 25 May 2023 08:22:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-apply-source-file-date-using-INGEST-as-Time/m-p/596351#M104125 isoutamo 2023-05-25T08:22:30Z https://community.splunk.com/t5/Getting-Data-In/How-to-apply-source-file-date-using-INGEST-as-Time/m-p/596865#M104191 <P>Sorry for the delay in responding, the setting is not applied, and it appears in N/NaN/NaN form in the time file during the test.</P><P>And I want to format %Y/%m/%d %T</P> Mon, 09 May 2022 01:38:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-apply-source-file-date-using-INGEST-as-Time/m-p/596865#M104191 noott211 2022-05-09T01:38:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-apply-source-file-date-using-INGEST-as-Time/m-p/596867#M104192 <P>A date format issue has been resolved, but logs are captured based on the current time. Is it a priority issue? I didn't do it No other time-related settings were performed.<BR /><BR /></P> Mon, 09 May 2022 02:10:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-apply-source-file-date-using-INGEST-as-Time/m-p/596867#M104192 noott211 2022-05-09T02:10:36Z https://community.splunk.com/t5/Getting-Data-In/How-to-apply-source-file-date-using-INGEST-as-Time/m-p/644601#M109721 <P>Hi</P><P>I just fixed those props.conf and transforms.conf with the correct definitions.</P><P>Format of _time field is defined by your localisation. If you need to see it in another format then you should use some other field to show it in your needed way.</P><P>r. Ismo</P> Thu, 25 May 2023 08:25:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-apply-source-file-date-using-INGEST-as-Time/m-p/644601#M109721 isoutamo 2023-05-25T08:25:00Z