https://community.splunk.com/t5/Splunk-Search/how-to-extract-date-from-filename-and-add-it-with-time-from/m-p/329741#M98177 <P>@bkumarm, glad it worked. Please up vote the comment if it helped.</P> Wed, 26 Jul 2017 10:53:45 GMT niketn 2017-07-26T10:53:45Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-date-from-filename-and-add-it-with-time-from/m-p/329736#M98172 <P>We have log files with names like: " <STRONG>my-file-log1.2017-07-25.name.log"</STRONG><BR /> The events in the log are like this:<BR /> 060047.342061Z INFO ASDFTestStatusMsg::eval: Passed(123/567892)</P> <P>The time format in the events is: HHmmss.SSSSSS or HHmmss.SSS</P> <P><STRONG>Requirement</STRONG> is to add the date from filename into all the events at index time. <BR /> I also need help in converting the time into proper timestamp.</P> <P>any solutions suggested?</P> <P>Thanks,<BR /> Bharath</P> Tue, 25 Jul 2017 13:29:34 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-date-from-filename-and-add-it-with-time-from/m-p/329736#M98172 bkumarm 2017-07-25T13:29:34Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-date-from-filename-and-add-it-with-time-from/m-p/329737#M98173 <P>I see that the <A href="http://docs.splunk.com/Documentation/Splunk/6.3.4/Data/HowSplunkextractstimestamps">http://docs.splunk.com/Documentation/Splunk/6.3.4/Data/HowSplunkextractstimestamps</A><BR /> says it does by default. but it is not working for me</P> Tue, 25 Jul 2017 13:52:11 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-date-from-filename-and-add-it-with-time-from/m-p/329737#M98173 bkumarm 2017-07-25T13:52:11Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-date-from-filename-and-add-it-with-time-from/m-p/329738#M98174 <P>@bkumarm, in your props.conf, have you extracted only the <STRONG>time</STRONG> from your logs? If you have not as it is mentioned in the documentation Splunk will default time to file modified timestamp. If you extract the time properly, Splunk should be able to pull the date from the filename. Proper time format seems to be following:</P> <PRE><CODE>[&lt;yourSourceTypeName&gt;] TIME_FORMAT=%H%M%S.%6N </CODE></PRE> <P>Please try out and confirm.</P> Tue, 25 Jul 2017 15:46:25 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-date-from-filename-and-add-it-with-time-from/m-p/329738#M98174 niketn 2017-07-25T15:46:25Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-date-from-filename-and-add-it-with-time-from/m-p/329739#M98175 <P>So when you search this data you do not get the fields <BR /> date_hour<BR /> date_mday<BR /> date_minute</P> <P>etc?</P> <P>Does adding this to your search add a new field named "indextime" ?</P> <P>| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") </P> Tue, 29 Sep 2020 15:03:34 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-date-from-filename-and-add-it-with-time-from/m-p/329739#M98175 JDukeSplunk 2020-09-29T15:03:34Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-date-from-filename-and-add-it-with-time-from/m-p/329740#M98176 <P>Thanks Niket, your clue helped us resolve the issue.<BR /> in your props.conf, []<BR /> TIME_FORMAT=%H%M%S.%6N</P> <P>we had also problem in filename, that we fixed.</P> <P>-Bharath</P> Wed, 26 Jul 2017 05:58:09 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-date-from-filename-and-add-it-with-time-from/m-p/329740#M98176 bkumarm 2017-07-26T05:58:09Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-date-from-filename-and-add-it-with-time-from/m-p/329741#M98177 <P>@bkumarm, glad it worked. Please up vote the comment if it helped.</P> Wed, 26 Jul 2017 10:53:45 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-date-from-filename-and-add-it-with-time-from/m-p/329741#M98177 niketn 2017-07-26T10:53:45Z