Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add File Date Info to Monitored File Date

hartfoml
Motivator
‎05-22-2013 08:22 AM

I have a folder that a user puts files in on a semi regular bases. I monitor the folder for new files and put the items in the file into a separate index to use for search. I dedup the events before doing the search so that I don't search for any event twice even if the entry is put in the index twice because the event is in multiple files in the folder. I would like to add the file date to each event in the file so that I know when an event was created. the date on the file is the creation date not the date of index.

How can I add the file date onto each event in the file that is being indexed?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎05-22-2013 09:17 AM

If file date == index date, just use the field _indextime which holds this information.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎05-22-2013 09:17 AM

If file date == index date, just use the field _indextime which holds this information.

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎05-22-2013 09:34 AM

In most cases the file date will be the _indextime date field. the file may be created and moved into the folder on different dates. the file may be created on 5/22 but not put in the folder till 5/23. I would like all the events in the file to have the 5/22 origination date not the indexed date. Thanks for the tip and I will use the _indextime unless anyone else has a suggestion.

Thanks Ayn

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...