topic Re: strptime() format for yyyymmddhhmmss? in Getting Data In

strptime() format for yyyymmddhhmmss?

hiddenkirby — Wed, 26 May 2010 21:33:26 GMT

strptime() format expression examples

Below are some sample date formats with strptime() expressions that handle them.

1998-12-31 %Y-%m-%d 98-12-31 %y-%m-%d 1998 years, 312 days %Y years, %j days Jan 24, 2003 %b %d, %Y January 24, 2003 %B %d, %Y q|25 Feb '03 = 2003-02-25| q|%d %b '%y = %Y-%m-%d|

does one exist for yyyymmddhhmmss?

my source field will look like this /dir/to/file/on/20100526123445/file.txt

curious if the dynamic date extraction could figure this out.

Re: strptime() format for yyyymmddhhmmss?

dwaddle — Wed, 26 May 2010 21:36:29 GMT

You should use something like %Y%m%d%H%M%S

Re: strptime() format for yyyymmddhhmmss?

Lowell — Wed, 26 May 2010 21:36:34 GMT

For extractions from a path, open up the $SPLUNK_HOME/etc/datetime.xml and search for entries prefixed with source::. It doesn't look like one exists right now, but you would probably have to add one. Since your timestamp has no breakers in it (there are no non-digits after the yyyymmmdd portion) then nothing in the source will match, based on the existing rexes in datetime.xml

I see you've had some other questions on this topic. I'm guessing that creating your own datetime.xml and it isn't working. Is that correct? If you post what you've tried someone may be able to help track it down.

And just for the record, the datetime.xml file uses all regexes, and is not a strptime() thing at all.

If you're looking to setup an entry for a TIME_FORMAT entry in a props.conf file? If so, try:

TIME_FORMAT = %Y%m%d%H%M%S

Re: strptime() format for yyyymmddhhmmss?

gkanapathy — Wed, 26 May 2010 21:46:21 GMT

No, it will not get that format, though it might be able to get the date if the timestamps are in the file. If there is nothing in the file that can be misinterpreted as the date (which after all is just a 14-digit number), you may be able to use TIME_FORMAT. Otherwise, you should define a custom datetime.xml file.

Re: strptime() format for yyyymmddhhmmss?

hiddenkirby — Wed, 26 May 2010 21:49:36 GMT

this worked... HOWEVER... it only worked if i specified TIME_PREFIX.

Re: strptime() format for yyyymmddhhmmss?

hiddenkirby — Mon, 28 Sep 2020 09:12:55 GMT

if it was /home/kirb/logs/20100521123456/file.txt TIME_PREFIX=\/logs\/ TIME_FORMAT=%Y%m%d%H%M%S

Re: strptime() format for yyyymmddhhmmss?

Lowell — Wed, 26 May 2010 21:55:37 GMT

Is the name (full path) of the log file stored within the log file itself? I didn't think you could use a TIME_PREFIX to match against source.

Re: strptime() format for yyyymmddhhmmss?

hiddenkirby — Thu, 27 May 2010 20:24:56 GMT

I miss understood what TIME_PREFIX did. The closer i look at the results of the indexing ... i notice it didn't work. There were a bunch of coincidental matches on information w/in the file. 😕

Re: strptime() format for yyyymmddhhmmss?

hiddenkirby — Thu, 27 May 2010 20:55:20 GMT

I tried http://www.splunk.com/base/Documentation/4.1.2/Admin/TrainSplunkToRecognizeATimestamp to help build the regex on "/dir/to/file/on/20100526123445/file.txt" to parse the date fields... but to no avail. I wanted to use that regex for my _masheddate3 in a local datetime.xml for my app. Am i closer?