Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add File Date Info to Monitored File Date

hartfoml
Motivator
‎05-22-2013 08:22 AM

I have a folder that a user puts files in on a semi regular bases. I monitor the folder for new files and put the items in the file into a separate index to use for search. I dedup the events before doing the search so that I don't search for any event twice even if the entry is put in the index twice because the event is in multiple files in the folder. I would like to add the file date to each event in the file so that I know when an event was created. the date on the file is the creation date not the date of index.

How can I add the file date onto each event in the file that is being indexed?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎05-22-2013 09:17 AM

If file date == index date, just use the field _indextime which holds this information.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎05-22-2013 09:17 AM

If file date == index date, just use the field _indextime which holds this information.

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎05-22-2013 09:34 AM

In most cases the file date will be the _indextime date field. the file may be created and moved into the folder on different dates. the file may be created on 5/22 but not put in the folder till 5/23. I would like all the events in the file to have the 5/22 origination date not the indexed date. Thanks for the tip and I will use the _indextime unless anyone else has a suggestion.

Thanks Ayn

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Unleash the Power of Splunk MCP and AI, Meet Us at .Conf 2025, and Find Even More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Professionals: Build Resilience and Visibility with These .conf25 ...

  If you're focused on performance, availability, and full-stack visibility, the Observability track at ...

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...
Top