https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14422#M1536 <P>Hi have a log which is inside folder which folder name is date<BR /> i give folder name or path is=<BR /> C:\Users\T_NiteshS1\Documents\My Received Files\20150511\log2.log</P> <P>If you see before log2.log you get folder 20150511 This is date<BR /> if you expend 20150511 this yyyymmdd</P> <P>how is set in datetime.xml i don't now xml</P> <P>I try many way but fail<BR /> my try<BR /> [CDATA[source::.*?\[My]+\ [Received]+\ [Files]+\(\d{4})(\d{2})(\d{2})\[NB92-Transaction07.log]+]</P> <P>[CDATA[source::.*?\(\d{4})(\d{2})(\d{2})\[NB92-Transaction07.log]+]</P> <P>[CDATA[source::.*?\(\d{4})(\d{2})(\d{2})\]</P> <P>[CDATA[source::.*?\(\d{4})(\d{2})(\d{2})]</P> <P>[CDATA[source::.*?\My Received Files(\d{4})(\d{2})(\d{2})]</P> <P>and so many way i try</P> Wed, 13 May 2015 09:30:09 GMT nitesh218ss 2015-05-13T09:30:09Z https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14413#M1527 <P>This is a question stemmed from <A href="http://answers.splunk.com/questions/2996/strptime-format-for-yyyymmddhhmmss" rel="nofollow">http://answers.splunk.com/questions/2996/strptime-format-for-yyyymmddhhmmss</A> and <A href="http://answers.splunk.com/questions/2831/index-on-regex-field-from-source" rel="nofollow">http://answers.splunk.com/questions/2831/index-on-regex-field-from-source</A></P> <P>my event source looks like this ".../scripts/<STRONG>201005271243</STRONG>/data/file.txt".</P> <P>End goal is to parse the date from the source.</P> <P>I have copied the datetime.xml file to myapp/default dir.</P> <P>i have modified props.conf to</P> <PRE><CODE>[my_sourcetype] DATETIME_CONFIG = /opt/splunk/etc/apps/myapp/default/datetime.xml </CODE></PRE> <P>i have modified datetime.xml to </P> <PRE><CODE>&lt;define name="_masheddate3" extract="year, month, day, hour, minute"&gt; &lt;text&gt;&lt;![CDATA[(?:^|source::).*\/scripts\/(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})\/data.*]]&gt;&lt;/text&gt; &lt;/define&gt; </CODE></PRE> <P>as well as the </P> <PRE><CODE>&lt;datePatterns&gt;&lt;use name="_masheddate3"/&gt; </CODE></PRE> <P>...to no avail. Index doesn't seem to populate at all. </P> Thu, 27 May 2010 23:54:48 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14413#M1527 hiddenkirby 2010-05-27T23:54:48Z https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14414#M1528 <P>i suspect the regex to be incorrect.</P> Fri, 28 May 2010 01:03:33 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14414#M1528 hiddenkirby 2010-05-28T01:03:33Z https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14415#M1529 <P>Well, your regex does seem to work, however, you may want to tweak it to (1) only match <CODE>source::</CODE> patterns, although you have enough other path-like matching it's unlikely to match else where, and (2) remove the unnecessary escaping for <CODE>/</CODE>, but I'm not sure that would cause you a problem.</P> <P>I'd suggest, something like this:</P> <PRE><CODE>&lt;text&gt;&lt;![CDATA[source::.*?/scripts/(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})/data/]]&gt;&lt;/text&gt; </CODE></PRE> <P>I also dropped off the <CODE>.*</CODE> from the end since the other rules don't have any such matching at the end. I also replaced your <CODE>.*</CODE> at the front with the non-greedy <CODE>.*?</CODE> which, should help performance.</P> <P>Hmmm, I think this could be your problem.... Your <CODE>_masheddate3</CODE> is contains not only a date but also a time. It looks like <CODE>_combdatetime</CODE> for example, is setup in both the <CODE>timePatterns</CODE> listing as well as the <CODE>datePatterns</CODE>. So if you don't have your entry in both, then I'd give that a try.</P> Fri, 28 May 2010 03:07:30 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14415#M1529 Lowell 2010-05-28T03:07:30Z https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14416#M1530 <P>how do i know if it failed.. other than finding the index did not populate? is an error in _internal ?</P> Fri, 28 May 2010 03:50:05 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14416#M1530 hiddenkirby 2010-05-28T03:50:05Z https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14417#M1531 <P>Ah hah! "Can't open DatePaser XML configuration file ...datetime.xml" No such file or directory.</P> Fri, 28 May 2010 03:55:55 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14417#M1531 hiddenkirby 2010-05-28T03:55:55Z https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14418#M1532 <P>bad path to datetime.xml</P> Fri, 28 May 2010 04:09:53 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14418#M1532 hiddenkirby 2010-05-28T04:09:53Z https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14419#M1533 <P>lol. Sometimes it's the simple things that take the most time to find. (I've been there many many times). Good catch. Hey, let me know about the whole time/date Patterns thing, does it make a difference?</P> Fri, 28 May 2010 04:29:54 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14419#M1533 Lowell 2010-05-28T04:29:54Z https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14420#M1534 <P>You do need to list the name of your rule in both the <CODE>datePatterns</CODE> and <CODE>timePatterns</CODE> part of the <CODE>datetime.xml</CODE> if you want it to get both date and time. It's okay to list the same rule in both places.</P> Fri, 28 May 2010 06:44:26 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14420#M1534 gkanapathy 2010-05-28T06:44:26Z https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14421#M1535 <P>I added it to both time and date .. still no go. Seems to still run off of the last modified date. New question... <A href="http://answers.splunk.com/questions/3102/datetime-xml-change-doesnt-seem-to-be-working">http://answers.splunk.com/questions/3102/datetime-xml-change-doesnt-seem-to-be-working</A></P> Fri, 28 May 2010 23:46:32 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14421#M1535 hiddenkirby 2010-05-28T23:46:32Z https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14422#M1536 <P>Hi have a log which is inside folder which folder name is date<BR /> i give folder name or path is=<BR /> C:\Users\T_NiteshS1\Documents\My Received Files\20150511\log2.log</P> <P>If you see before log2.log you get folder 20150511 This is date<BR /> if you expend 20150511 this yyyymmdd</P> <P>how is set in datetime.xml i don't now xml</P> <P>I try many way but fail<BR /> my try<BR /> [CDATA[source::.*?\[My]+\ [Received]+\ [Files]+\(\d{4})(\d{2})(\d{2})\[NB92-Transaction07.log]+]</P> <P>[CDATA[source::.*?\(\d{4})(\d{2})(\d{2})\[NB92-Transaction07.log]+]</P> <P>[CDATA[source::.*?\(\d{4})(\d{2})(\d{2})\]</P> <P>[CDATA[source::.*?\(\d{4})(\d{2})(\d{2})]</P> <P>[CDATA[source::.*?\My Received Files(\d{4})(\d{2})(\d{2})]</P> <P>and so many way i try</P> Wed, 13 May 2015 09:30:09 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-masheddate3-in-datetime-xml/m-p/14422#M1536 nitesh218ss 2015-05-13T09:30:09Z