topic Re: getting event timestamp from source file name in Getting Data In

getting event timestamp from source file name

lyndac — Thu, 27 May 2010 00:48:26 GMT

I have a .csv file that I'm indexing. There is no timestamp information in the .csv file, but there is a date in the file name itself. How can I tell splunk to use the date in the SOURCE as the timestamp for each event in the file?

Ex filenames:

MY_FILE-2010-05-25.csv
MY_FILE-2010-05-26.csv

Re: getting event timestamp from source file name

piebob — Thu, 27 May 2010 01:53:36 GMT

is splunk not automatically getting the timestamp from the filename? what is being used instead?

Re: getting event timestamp from source file name

Lowell — Thu, 27 May 2010 02:55:50 GMT

This should be done automatically.

You can get more info about a custom setup on this blog entry:

http://blogs.splunk.com/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename/

However, this is a pretty popular date format, so you shouldn't need a custom setup. This date should match the _isodate named format. (As seen in the default datetime.xml file.)

Re: getting event timestamp from source file name

gkanapathy — Mon, 28 Sep 2020 09:12:58 GMT

To make sure it gets the date from the file name, configure you TIME_PREFIX, TIME_FORMAT, and MAX_TIMESTAMP_LOOKAHEAD so that there is no possibility that it will find a date elsewhere in your event text. (Splunk is somewhat aggressive about this if you leave it on its own.) Once it fails there, it will find its way to finding the date in the file name.

Re: getting event timestamp from source file name

lyndac — Mon, 28 Sep 2020 09:13:01 GMT

I updated my props.conf to have TIME_PREFIX=FILE- TIME_FORMAT=%Y-%m-%d MAX_TIMESTAMP_LOOKAHEAD=20 and SPLUNK used the modified date of the file as the timestamp. (not the date in the filename).

Re: getting event timestamp from source file name

lyndac — Thu, 27 May 2010 21:16:53 GMT

it's using the modification time of the file.