date and month recognition from soruce file name f...

realajay89 · ‎10-06-2014

i am trying to implement Time picker for my dashboard . the dashboard gives monthly statistics .
my source data doesn't have any date or month or any timestamp ..
my source file name is " BTM_Net_July.csv" and BTM_Net_august.csv"
now as i select date ranges in splunk . i would like to get the results on the dashboard for that particular month.
i want the timepicker to pick the date from the source filename .
how is it possible . can anyone guide me .
Thanks

theouhuios · ‎10-06-2014

You can write a search to populate that. basically a rex should do it .

When the data is indexed is splunk placing the timestamp? There will be a _time value which will denote the time of the event ( In your case its very likely that splunk places the timestamp of when the file was indexed instead of the _time of event). So if a file in july has been indexed in Aug it might place the date in Aug when the file has been indexed as the _time value.

Coming back to rex

<| rex field=source "BTM_NET_(?\w+)\.">

will give you the month. To limit the data to this you might want to do this if the _time value becomes an issue.

   sourcetype=<yoursourcetype> source=*$Month$.csv | <remainingsearch>

date and month recognition from soruce file name for timepicker implementation

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

date and month recognition from soruce file name for timepicker implementation

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem