https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14080#M1375 <P>Thank you! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 24 May 2010 22:50:18 GMT hiddenkirby 2010-05-24T22:50:18Z https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14073#M1368 <P>I have a dir of text files named like such scriptcalled_201005211317_stdout.txt</P> <P>how do i index them on that date? I understand splunk already tries to pull the date from the source.. but if i can specify a regex i would prefer that... and i think it would be faster.</P> <P>TIA,</P> Sat, 22 May 2010 02:28:42 GMT https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14073#M1368 hiddenkirby 2010-05-22T02:28:42Z https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14074#M1369 <P>Timestamp extraction from source is controlled in the <CODE>$SPLUNK_HOME/etc/datetime.xml</CODE> file. Search the file for "<CODE>source::</CODE>" and you'll see the formats supported.</P> <P>I think this is your only option. And regexes are definitely involved, although probably not in the way you were thinking.</P> Sat, 22 May 2010 03:39:43 GMT https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14074#M1369 Lowell 2010-05-22T03:39:43Z https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14075#M1370 <P>can i create a _masheddate3 w/ my very specific regex?</P> Sat, 22 May 2010 04:30:51 GMT https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14075#M1370 hiddenkirby 2010-05-22T04:30:51Z https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14076#M1371 <P>or would i do something similar to this in props.conf [source::/Applications/splunk/var/spool/splunk] <BR /> TIME_PREFIX = <EM>\d{14}</EM></P> Mon, 28 Sep 2020 09:12:41 GMT https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14076#M1371 hiddenkirby 2020-09-28T09:12:41Z https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14077#M1372 <P>or even something ot format it? <BR /> [source::/Applications/splunk/var/spool/splunk] TIME_PREFIX = <EM>(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})</EM> FORMAT = $1/$2/$3 $4:$5:$6</P> Mon, 28 Sep 2020 09:12:44 GMT https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14077#M1372 hiddenkirby 2020-09-28T09:12:44Z https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14078#M1373 <P>i found <A href="http://www.splunk.com/base/Documentation/4.1.2/Admin/TrainSplunkToRecognizeATimestamp">http://www.splunk.com/base/Documentation/4.1.2/Admin/TrainSplunkToRecognizeATimestamp</A></P> <P>i'll try to create my own datetime.xml <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> Sat, 22 May 2010 04:44:48 GMT https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14078#M1373 hiddenkirby 2010-05-22T04:44:48Z https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14079#M1374 <P>See here: <A href="http://blogs.splunk.com/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename/" rel="nofollow">http://blogs.splunk.com/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename/</A></P> <P>The default Splunk settings do many different formats, but you can be as specific as you like.</P> Sat, 22 May 2010 08:00:42 GMT https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14079#M1374 gkanapathy 2010-05-22T08:00:42Z https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14080#M1375 <P>Thank you! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 24 May 2010 22:50:18 GMT https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14080#M1375 hiddenkirby 2010-05-24T22:50:18Z https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14081#M1376 <P>see <A href="http://answers.splunk.com/questions/3055/creating-a-masheddate3-in-datetime-xml/">http://answers.splunk.com/questions/3055/creating-a-masheddate3-in-datetime-xml/</A></P> Fri, 28 May 2010 04:10:23 GMT https://community.splunk.com/t5/Getting-Data-In/index-on-regex-field-from-source/m-p/14081#M1376 hiddenkirby 2010-05-28T04:10:23Z