topic Re: _time From file Name in Getting Data In

_time From file Name

jimjohn — Mon, 28 Sep 2020 16:13:27 GMT

I want splunk to populate _time field with value from file name.
for ex my file name is ABC_20140131 I want _time field with value 01/31/2014.
I looked http://blogs.splunk.com/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename/
and tried the configerations exaplined .But still I am getting _time as current time.
My changes are as follows.
etc\system\default\props.config

[host::DateFormat]
DATETIME_CONFIG =/etc/system/local/datetime.xml
TIME_PREFIX=ABC_
MAX_TIMESTAMP_LOOKAHEAD=20
TIME_FORMAT = %Y%m%d

datetime.xml

<define name="_isodate" extract="year, month, day">
       <text><![CDATA[source::ABC_\d{4}\d{2}\d{2}.*]]></text>
</define>
<datePatterns>
      <use name="_isodate"/>
</datePatterns>

Did I miss anything or can somebody give some suggestions on this.

Re: _time From file Name

kristian_kolb — Tue, 25 Mar 2014 07:26:20 GMT

Hi, I don't have much experience with custom datetime.xml configs, but one thing that looks suspicious is that you do not have any capturing groups in your regex, so splunk does not know which parts to extract as "year, month, day". You should probably have it more like;

ABC_(\d{4})(\d{2})(\d{2})

but there might be more things missing.

Re: _time From file Name

Ayn — Tue, 25 Mar 2014 07:53:01 GMT

Also is your host really called "DateFormat"??

Re: _time From file Name

MuS — Tue, 25 Mar 2014 08:04:28 GMT

and is your datetime.xml really in /etc/system/local or in $SPLUNK_HOME/etc/system/local/?

Re: _time From file Name

jimjohn — Mon, 28 Sep 2020 16:13:32 GMT

Regular expression I have corrected to ABC_(\d{4})(\d{2})(\d{2}) to get the groups.
Myhost hame is DateFormat and and I have corrected to refereeing as
$SPLUNK_HOME/etc/system/local/datetime.xml.
But still I am getting same result(_time with current time).

Re: _time From file Name

Ayn — Tue, 25 Mar 2014 09:39:29 GMT

You should check splunkd.log for errors from the timestamp processor.

Re: _time From file Name

kiddo258 — Thu, 22 Jan 2015 15:51:33 GMT

It says that

"If no events in a source have a date, Splunk Enterprise tries to find one in the source name or file name. (This requires that the events have a time, even though they don't have a date.)"