Date stamp in directory name

suhprano · ‎05-15-2012

How can I configure splunk to index or accept the datestamp in the name of directories?
The events only have time stamps.

Example:

drwxr-xr-x 2 test test 57344 May 13 03:35 20120513
drwxr-xr-x 2 test test 57344 May 14 21:21 20120514
drwxr-xr-x 2 test test 57344 May 15 18:31 20120515

I'm having issues when I restart the forwarder and it doesn't recognize the date time in the meta data.

woodcock · ‎07-06-2015

I am assuming that you are getting the date from the directory but the time from the events. You do it like this:

$SPLUNK_HOME/etc/apps/myApp/default/props.conf

DATETIME_CONFIG = /etc/apps/myApp/default/datetime.xml

$SPLUNK_HOME/etc/apps/myApp/default/datetime.xml

<datetime>
<define name="file4date" extract="year, month, day">
   <text><![CDATA[source::.*?/(\d{4})(\d{2})(\d{2})/]]></text>
</define>
<define name="event4time" extract="hour, minute, seconds">
   <!--This assumes that every event starts like this: "HH:MM:SS"  You must change to fit your data!!!-->
   <text><![CDATA[^(\d{2}):(\d{2}):(\d{2})]]></text>
</define>
<timePatterns>
   <use name="event4time"/>
</timePatterns>
<datePatterns>
   <use name="file4date"/>
</datePatterns>
</datetime>

Date stamp in directory name

There's No Place Like Chrome and the Splunk Platform

The Great Resilience Quest: 5th Leaderboard Update

Devesh Logendran, Splunk, and the Singapore Cyber Conquest