https://community.splunk.com/t5/Getting-Data-In/get-timestamp-from-filename/m-p/57470#M11226 <P>Thanks, I did set TIME_PREFIX and TIME_FORMAT so that splunk did not find any ts into the event itself. It does backup on the file update time, which is fine.</P> Mon, 28 Sep 2020 13:01:02 GMT olivier_romain 2020-09-28T13:01:02Z https://community.splunk.com/t5/Getting-Data-In/get-timestamp-from-filename/m-p/57468#M11224 <P>hello,</P> <P>I am trying to retreive timestamp from filename. I have files named like </P> <P>"disco_20120531.txt"</P> <P>with content looking like:</P> <P>"net0 family 'Web' application 'videosurf' path 'base.eth.8021q.ip.gre.ppp.ip.tcp.http.videosurf' rate 0 totbytes 25664 nb_packet 231 nb_uapp_cnx 25"</P> <P>I try to set timestamp from filename "disco_20120531.txt" to 31/05/2012</P> <P>However I couldn't make it. My app props.conf :</P> <P>[source::/root/data/disco/daily/*]<BR /> NO_BINARY_CHECK = 1<BR /> SHOULD_LINEMERGE = false<BR /> pulldown_type = 1<BR /> TIME_PREFIX = disco_<BR /> TIME_FORMAT = %Y%m%d</P> <P>This config works if the filename is added to the file content, but otherwise not. Time stamp is not found and splunk uses file mod time instead.</P> <P>Does anyone has got an idea what's wrong?</P> <P>Thanks in advance,</P> <P>Olivier</P> Mon, 28 Sep 2020 12:55:45 GMT https://community.splunk.com/t5/Getting-Data-In/get-timestamp-from-filename/m-p/57468#M11224 olivier_romain 2020-09-28T12:55:45Z https://community.splunk.com/t5/Getting-Data-In/get-timestamp-from-filename/m-p/57469#M11225 <P>From the Splunk documentation <A href="http://docs.splunk.com/Documentation/Splunk/5.0/Data/HowSplunkextractstimestamps">here</A></P> <P>"4. If no events in a source have a date, Splunk tries to find one in the source name or file name. (This requires that the events have a time, even though they don't have a date.)"</P> <P>TIME_PREFIX and TIME_FORMAT are not used when parsing the date in a file name. They apply only when extracting the timestamp from an event.</P> <P>Bottom line: Splunk will use your file modification date/time. I don't know any way around this, but perhaps someone else on this forum does. Or you could open a support ticket... The best option, if possible, is to add a full timestamp to every event.</P> Sun, 09 Dec 2012 02:29:18 GMT https://community.splunk.com/t5/Getting-Data-In/get-timestamp-from-filename/m-p/57469#M11225 lguinn2 2012-12-09T02:29:18Z https://community.splunk.com/t5/Getting-Data-In/get-timestamp-from-filename/m-p/57470#M11226 <P>Thanks, I did set TIME_PREFIX and TIME_FORMAT so that splunk did not find any ts into the event itself. It does backup on the file update time, which is fine.</P> Mon, 28 Sep 2020 13:01:02 GMT https://community.splunk.com/t5/Getting-Data-In/get-timestamp-from-filename/m-p/57470#M11226 olivier_romain 2020-09-28T13:01:02Z https://community.splunk.com/t5/Getting-Data-In/get-timestamp-from-filename/m-p/57471#M11227 <P>Hi Lisa,<BR /> I have the same problem too in Splunk 6.1, as many others, for a quite important prospect. I also had as last resort the idea of adding at the beginning of the _raw data the timestamp extracted from the source file, with date and time of the generation of the informations.</P> <P>I only have a doubt: isn't timestamp assigned during the parsing phase before the Custom configurations in props.conf, like transforms and so on? We tried that but with no results...</P> <P>Regards,<BR /> Marco</P> Thu, 15 May 2014 10:25:32 GMT https://community.splunk.com/t5/Getting-Data-In/get-timestamp-from-filename/m-p/57471#M11227 marcoscala 2014-05-15T10:25:32Z