https://community.splunk.com/t5/Getting-Data-In/Best-way-to-extract-time-from-file-name-and-text/m-p/676764#M113186 <P>Hello to everyone!<BR />I have a curious situation:<BR />I have log files that I collecting via SplunkUF<BR />This log file does not contain a whole timestamp - one part of the timestamp is contained in the file name, and the other is placed directly in the event</P><P><BR />As I found in the other answers, I have options.<BR />1. INGEST_EVAL on the indexer layer: I did not understand how I could take one part from the source and glue it with _raw data<BR /><A href="https://community.splunk.com/t5/Getting-Data-In/How-to-use-date-in-filename-as-the-timestamp-for-each-event/m-p/240175" target="_self">Link to the answer</A><BR /><BR />2. Use handmade script to create a valid timestamp for events - this is more understandable for me, but it looks like "reinventing the wheel"<BR /><BR /></P><P>So the question is, may I use the first option if it is possible?<BR />This is the an example of the source:</P><LI-CODE lang="markup">E:\logs\rmngr_*\24020514.log * - some number 24 - Year Month - 02 Day - 04 Hour - 14</LI-CODE><P><BR />And this is an example of the event:</P><LI-CODE lang="markup">45:50.152011-0,CONN,3,process=rmngr,p:processName=RegMngrCntxt,p:processName=ServerJobExecutorContext,OSThread=15348,t:clientID=64658,t:applicationName=ManagerProcess,t:computerName=hostname01,Txt=Clnt: DstUserName1: user@domain.com StartProtocol: 0 Success 45:50.152011 - Minute, Second and Subsecond</LI-CODE><P>&nbsp;</P> Tue, 06 Feb 2024 16:34:29 GMT NoSpaces 2024-02-06T16:34:29Z https://community.splunk.com/t5/Getting-Data-In/Best-way-to-extract-time-from-file-name-and-text/m-p/676764#M113186 <P>Hello to everyone!<BR />I have a curious situation:<BR />I have log files that I collecting via SplunkUF<BR />This log file does not contain a whole timestamp - one part of the timestamp is contained in the file name, and the other is placed directly in the event</P><P><BR />As I found in the other answers, I have options.<BR />1. INGEST_EVAL on the indexer layer: I did not understand how I could take one part from the source and glue it with _raw data<BR /><A href="https://community.splunk.com/t5/Getting-Data-In/How-to-use-date-in-filename-as-the-timestamp-for-each-event/m-p/240175" target="_self">Link to the answer</A><BR /><BR />2. Use handmade script to create a valid timestamp for events - this is more understandable for me, but it looks like "reinventing the wheel"<BR /><BR /></P><P>So the question is, may I use the first option if it is possible?<BR />This is the an example of the source:</P><LI-CODE lang="markup">E:\logs\rmngr_*\24020514.log * - some number 24 - Year Month - 02 Day - 04 Hour - 14</LI-CODE><P><BR />And this is an example of the event:</P><LI-CODE lang="markup">45:50.152011-0,CONN,3,process=rmngr,p:processName=RegMngrCntxt,p:processName=ServerJobExecutorContext,OSThread=15348,t:clientID=64658,t:applicationName=ManagerProcess,t:computerName=hostname01,Txt=Clnt: DstUserName1: user@domain.com StartProtocol: 0 Success 45:50.152011 - Minute, Second and Subsecond</LI-CODE><P>&nbsp;</P> Tue, 06 Feb 2024 16:34:29 GMT https://community.splunk.com/t5/Getting-Data-In/Best-way-to-extract-time-from-file-name-and-text/m-p/676764#M113186 NoSpaces 2024-02-06T16:34:29Z https://community.splunk.com/t5/Getting-Data-In/Best-way-to-extract-time-from-file-name-and-text/m-p/677156#M113231 <P>Hi</P><P>you could look my old post&nbsp;<A href="https://community.splunk.com/t5/Getting-Data-In/How-to-apply-source-file-date-using-INGEST-as-Time/m-p/596865" target="_blank">https://community.splunk.com/t5/Getting-Data-In/How-to-apply-source-file-date-using-INGEST-as-Time/m-p/596865</A>.</P><P>You need to do small modifications to it.&nbsp;</P><OL><LI>Select correct format into 1st replace part to get year to hour part from source.&nbsp;</LI><LI>Replace tostring part with take your minutes to sub second from _raw e.g. substring/replace&nbsp;</LI><LI>modify format string to match your combined year to sub second format</LI></OL><P>You could test this like I have done on above post. If needed, don’t hesitate to ask more help.</P><P>Remember that INGEST_EVAL must be an one command only.</P><P>r. Ismo</P> Fri, 09 Feb 2024 18:00:03 GMT https://community.splunk.com/t5/Getting-Data-In/Best-way-to-extract-time-from-file-name-and-text/m-p/677156#M113231 isoutamo 2024-02-09T18:00:03Z https://community.splunk.com/t5/Getting-Data-In/Best-way-to-extract-time-from-file-name-and-text/m-p/677542#M113272 <P>After a lot of tries, I finally did it<BR />Looks simple when you know what to do<BR />Thank you for advertising the substr function <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span></P><P>The final result is below</P><P><BR /><BR />props.conf</P><LI-CODE lang="markup">[oce_file_rphost] TRANSFORMS-oce_file_tc0 = oce_file_tc0 LINE_BREAKER = ()\d{2}:\d{2}.\d+-\d+, SHOULD_LINEMERGE = false</LI-CODE><P><BR />transform.conf</P><LI-CODE lang="markup">[oce_file_tc0] INGEST_EVAL = _time = strptime("20" + replace(source,".*\\\\(\d{8}).log","\1") + substr(_raw,0,12),"%Y%m%d%H%M:%S.%6Q")</LI-CODE><P><BR /><BR /></P> Wed, 14 Feb 2024 09:49:34 GMT https://community.splunk.com/t5/Getting-Data-In/Best-way-to-extract-time-from-file-name-and-text/m-p/677542#M113272 NoSpaces 2024-02-14T09:49:34Z