https://community.splunk.com/t5/Getting-Data-In/Getting-date-from-filename-and-time-from-logs/m-p/95040#M19807 <P>Thanks Gerald. I have my own datetime.xml defined already, and it's working great for some events, but for certain events Splunk is pulling the date from some other values in the logs. </P> <P>So that is the reason why I'm asking if it's possible to change the timestamp recognition precedence so that it will hit my datetime.xml first before going to some other places to look for the date. </P> <P>Thanks for the response though, always appreciative of your help.</P> Tue, 30 Nov 2010 22:08:31 GMT silvermail 2010-11-30T22:08:31Z https://community.splunk.com/t5/Getting-Data-In/Getting-date-from-filename-and-time-from-logs/m-p/95036#M19803 <P>Hello,</P> <P>I am not sure if this is possible, but I have a file named called php_201000618.txt and inside the logs it contain something like:</P> <BLOCKQUOTE> <P>----------Time 20:54:17----------<BR /> HTTP/1.1 200 OK<BR /> Date: Sun, 6 Jun 2010 19:33:17 GMT<BR /> Server: Apache<BR /> Content-Length: 51<BR /> Keep-Alive: timeout=300, max=636<BR /></P> </BLOCKQUOTE> <P>I need to get the date from the filename 20100618 and the time from 20:54:17. Is it possible to split the timestamp recognition precedence into two components? </P> <P>I know it may seem easier to get it from the line "Date: Sun, 6 Jun 2010 19:33:17 GMT", but this line does not exist in all the lines - and the only reliable place is to get the date from the filename as well as the header "----------Time 20:54:17----------"</P> <P>Right now I have a props.conf that shows:</P> <BLOCKQUOTE> <P>TIME_PREFIX = ^----------Time<BR /> TIME_FORMAT = %H:%M:%S</P> </BLOCKQUOTE> <P>Time extraction is working fine, but I am getting some random dates which I am not sure why this is happening.</P> <P>Thanks for any suggestions.</P> Fri, 26 Nov 2010 14:46:45 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-date-from-filename-and-time-from-logs/m-p/95036#M19803 silvermail 2010-11-26T14:46:45Z https://community.splunk.com/t5/Getting-Data-In/Getting-date-from-filename-and-time-from-logs/m-p/95037#M19804 <P>You may want to take a look at the following answer that has been posted. I believe that it answers your question as well.</P> <P><A href="http://splunk-base.splunk.com/answers/12015/setting-date-on-event-based-on-filename" rel="nofollow">http://splunk-base.splunk.com/answers/12015/setting-date-on-event-based-on-filename</A></P> Fri, 26 Nov 2010 21:09:18 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-date-from-filename-and-time-from-logs/m-p/95037#M19804 Rob 2010-11-26T21:09:18Z https://community.splunk.com/t5/Getting-Data-In/Getting-date-from-filename-and-time-from-logs/m-p/95038#M19805 <P>Thanks Rob, but the example you have mentioned isn't what I was looking for. Thanks anyway...</P> Fri, 26 Nov 2010 23:13:22 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-date-from-filename-and-time-from-logs/m-p/95038#M19805 silvermail 2010-11-26T23:13:22Z https://community.splunk.com/t5/Getting-Data-In/Getting-date-from-filename-and-time-from-logs/m-p/95039#M19806 <P>Try this: <A href="http://blogs.splunk.com/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename/" rel="nofollow">http://blogs.splunk.com/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename/</A></P> <P>Yours might not be so complicated, but the general idea holds.</P> Tue, 30 Nov 2010 04:45:35 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-date-from-filename-and-time-from-logs/m-p/95039#M19806 gkanapathy 2010-11-30T04:45:35Z https://community.splunk.com/t5/Getting-Data-In/Getting-date-from-filename-and-time-from-logs/m-p/95040#M19807 <P>Thanks Gerald. I have my own datetime.xml defined already, and it's working great for some events, but for certain events Splunk is pulling the date from some other values in the logs. </P> <P>So that is the reason why I'm asking if it's possible to change the timestamp recognition precedence so that it will hit my datetime.xml first before going to some other places to look for the date. </P> <P>Thanks for the response though, always appreciative of your help.</P> Tue, 30 Nov 2010 22:08:31 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-date-from-filename-and-time-from-logs/m-p/95040#M19807 silvermail 2010-11-30T22:08:31Z https://community.splunk.com/t5/Getting-Data-In/Getting-date-from-filename-and-time-from-logs/m-p/95041#M19808 <P>There is not, but if you make sure the datetime.xml contains only date formats that will definitely fail in the file, then it <EM>should</EM> fall through to the filename.</P> Wed, 01 Dec 2010 10:37:10 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-date-from-filename-and-time-from-logs/m-p/95041#M19808 gkanapathy 2010-12-01T10:37:10Z https://community.splunk.com/t5/Getting-Data-In/Getting-date-from-filename-and-time-from-logs/m-p/95042#M19809 <P>The link provided by Rob has been "updated" to better suit your use-case <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Take a look at it now!</P> Mon, 23 May 2011 13:43:16 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-date-from-filename-and-time-from-logs/m-p/95042#M19809 hexx 2011-05-23T13:43:16Z https://community.splunk.com/t5/Getting-Data-In/Getting-date-from-filename-and-time-from-logs/m-p/95043#M19810 <P>I set TIME_PREFIX TIME_FORMAT and plus LOOK_AHEAD(how long the time string is) then ,it works well.</P> Tue, 29 Sep 2020 11:35:31 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-date-from-filename-and-time-from-logs/m-p/95043#M19810 kenkenou 2020-09-29T11:35:31Z