<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Extract date from a varying source name in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-a-varying-source-name/m-p/170251#M34405</link>
    <description>&lt;P&gt;Hi Guys,&lt;/P&gt;

&lt;P&gt;My log files has events with the time stamp on it, just the time not the date but luckily the source name has the date in it and splunk automatically identifies date from the source name and displays it with the events accordingly.&lt;/P&gt;

&lt;P&gt;My logs:- &lt;BR /&gt;
10:32:21,453 INFO [2212] abcdxyz&lt;BR /&gt;
10:32:21,112 INFO [2212] abcdxyz&lt;BR /&gt;
10:32:22,409 INFO [1121] abcdxyz&lt;/P&gt;

&lt;P&gt;source names :- server-nameA.2013-10-01&lt;BR /&gt;
                  server-nameB.2013-10-01&lt;/P&gt;

&lt;P&gt;splunk is showing the events after indexing like:-&lt;/P&gt;

&lt;P&gt;2013/10/01 10:32:21,453 INFO [2212] abcdxyz&lt;BR /&gt;
2013/10/01 10:32:21,112 INFO [2212] abcdxyz&lt;BR /&gt;
2013/10/01 10:32:22,409 INFO [1121] abcdxyz&lt;/P&gt;

&lt;P&gt;But sometimes my log files also has version number attached to them at the last.&lt;/P&gt;

&lt;P&gt;source name with version number : server-nameA.2013-10-01.1&lt;BR /&gt;
                                     server-nameB.2013-10-01.1&lt;/P&gt;

&lt;P&gt;Now splunk is also taking version number for the date and after indexing my events look like:&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;2010/10/01&lt;/STRONG&gt; 10:33:23,343 INFO [2232] abcdxyz&lt;BR /&gt;
&lt;STRONG&gt;2010/10/01&lt;/STRONG&gt; 10:33:19,144 INFO [2394] abcdxyz&lt;BR /&gt;
&lt;STRONG&gt;2010/10/01&lt;/STRONG&gt; 10:34:23,239 INFO [1943] abcdxyz&lt;/P&gt;

&lt;P&gt;i want the date to be 2013/10/01 not 2010/10/01 when the source name is something like server-nameA.2013-10-01.1&lt;/P&gt;

&lt;P&gt;I have searched through the internet for an answer but none of them assured me a valid result.&lt;BR /&gt;
Please, Can anyone help me fix this issue?&lt;/P&gt;

&lt;P&gt;Many Regards...&lt;/P&gt;</description>
    <pubDate>Fri, 06 Dec 2013 18:13:06 GMT</pubDate>
    <dc:creator>luv</dc:creator>
    <dc:date>2013-12-06T18:13:06Z</dc:date>
    <item>
      <title>Extract date from a varying source name</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-a-varying-source-name/m-p/170251#M34405</link>
      <description>&lt;P&gt;Hi Guys,&lt;/P&gt;

&lt;P&gt;My log files has events with the time stamp on it, just the time not the date but luckily the source name has the date in it and splunk automatically identifies date from the source name and displays it with the events accordingly.&lt;/P&gt;

&lt;P&gt;My logs:- &lt;BR /&gt;
10:32:21,453 INFO [2212] abcdxyz&lt;BR /&gt;
10:32:21,112 INFO [2212] abcdxyz&lt;BR /&gt;
10:32:22,409 INFO [1121] abcdxyz&lt;/P&gt;

&lt;P&gt;source names :- server-nameA.2013-10-01&lt;BR /&gt;
                  server-nameB.2013-10-01&lt;/P&gt;

&lt;P&gt;splunk is showing the events after indexing like:-&lt;/P&gt;

&lt;P&gt;2013/10/01 10:32:21,453 INFO [2212] abcdxyz&lt;BR /&gt;
2013/10/01 10:32:21,112 INFO [2212] abcdxyz&lt;BR /&gt;
2013/10/01 10:32:22,409 INFO [1121] abcdxyz&lt;/P&gt;

&lt;P&gt;But sometimes my log files also has version number attached to them at the last.&lt;/P&gt;

&lt;P&gt;source name with version number : server-nameA.2013-10-01.1&lt;BR /&gt;
                                     server-nameB.2013-10-01.1&lt;/P&gt;

&lt;P&gt;Now splunk is also taking version number for the date and after indexing my events look like:&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;2010/10/01&lt;/STRONG&gt; 10:33:23,343 INFO [2232] abcdxyz&lt;BR /&gt;
&lt;STRONG&gt;2010/10/01&lt;/STRONG&gt; 10:33:19,144 INFO [2394] abcdxyz&lt;BR /&gt;
&lt;STRONG&gt;2010/10/01&lt;/STRONG&gt; 10:34:23,239 INFO [1943] abcdxyz&lt;/P&gt;

&lt;P&gt;i want the date to be 2013/10/01 not 2010/10/01 when the source name is something like server-nameA.2013-10-01.1&lt;/P&gt;

&lt;P&gt;I have searched through the internet for an answer but none of them assured me a valid result.&lt;BR /&gt;
Please, Can anyone help me fix this issue?&lt;/P&gt;

&lt;P&gt;Many Regards...&lt;/P&gt;</description>
      <pubDate>Fri, 06 Dec 2013 18:13:06 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-a-varying-source-name/m-p/170251#M34405</guid>
      <dc:creator>luv</dc:creator>
      <dc:date>2013-12-06T18:13:06Z</dc:date>
    </item>
    <item>
      <title>Re: Extract date from a varying source name</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-a-varying-source-name/m-p/170252#M34406</link>
      <description>&lt;P&gt;I don't see the event example you listed 2nd time is different from 1st one. Did you miss pasting the new data.?&lt;/P&gt;</description>
      <pubDate>Fri, 06 Dec 2013 19:07:55 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-a-varying-source-name/m-p/170252#M34406</guid>
      <dc:creator>somesoni2</dc:creator>
      <dc:date>2013-12-06T19:07:55Z</dc:date>
    </item>
    <item>
      <title>Re: Extract date from a varying source name</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-a-varying-source-name/m-p/170253#M34407</link>
      <description>&lt;P&gt;time stamp without version in source name:-&lt;BR /&gt;
2013/10/01 10:32:21,453 INFO [2212] abcdxyz&lt;/P&gt;

&lt;P&gt;time stamp with version in source name:-&lt;BR /&gt;
2010/10/01 10:33:23,343 INFO [2232] abcdxyz&lt;/P&gt;

&lt;P&gt;In the second example splunk is taking the version number of the source name hence the date is shifted from 2013/10/01 to 2010/10/01&lt;/P&gt;</description>
      <pubDate>Fri, 06 Dec 2013 19:49:40 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-a-varying-source-name/m-p/170253#M34407</guid>
      <dc:creator>luv</dc:creator>
      <dc:date>2013-12-06T19:49:40Z</dc:date>
    </item>
    <item>
      <title>Re: Extract date from a varying source name</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-a-varying-source-name/m-p/170254#M34408</link>
      <description>&lt;P&gt;I'd strongly suggest that you get the application to log complete timestamps (ideally in ISO format with timezone).&lt;/P&gt;

&lt;P&gt;If you are unable to do so, are you able to remove the date from the filename?&lt;/P&gt;

&lt;P&gt;If you are unable to do so, you can try modifying your props.conf like so:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[my_application_source_type]
TIME_FORMAT = %H:%M:%S,%3N
MAX_DAYS_AGO=1
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;If none of those options are viable, you can just use the current time:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[my_application_source_type]
DATETIME_CONFIG = CURRENT
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 17 Dec 2013 10:31:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-a-varying-source-name/m-p/170254#M34408</guid>
      <dc:creator>dart</dc:creator>
      <dc:date>2013-12-17T10:31:22Z</dc:date>
    </item>
    <item>
      <title>Re: Extract date from a varying source name</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-a-varying-source-name/m-p/170255#M34409</link>
      <description>&lt;P&gt;[my_application_source_type]&lt;BR /&gt;
TIME_FORMAT = %H:%M:%S,%3N&lt;BR /&gt;
MAX_DAYS_AGO=1&lt;/P&gt;

&lt;P&gt;I did the above changes in my props.conf and now splunk is taking the current date for my events. It's still not taking the date from the source name &lt;span class="lia-unicode-emoji" title=":disappointed_face:"&gt;😞&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 15:30:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-a-varying-source-name/m-p/170255#M34409</guid>
      <dc:creator>luv</dc:creator>
      <dc:date>2020-09-28T15:30:51Z</dc:date>
    </item>
  </channel>
</rss>

