Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract date from a varying source name

luv
Explorer
‎12-06-2013 10:13 AM

Hi Guys,

My log files has events with the time stamp on it, just the time not the date but luckily the source name has the date in it and splunk automatically identifies date from the source name and displays it with the events accordingly.

My logs:-
10:32:21,453 INFO [2212] abcdxyz
10:32:21,112 INFO [2212] abcdxyz
10:32:22,409 INFO [1121] abcdxyz

source names :- server-nameA.2013-10-01
server-nameB.2013-10-01

splunk is showing the events after indexing like:-

2013/10/01 10:32:21,453 INFO [2212] abcdxyz
2013/10/01 10:32:21,112 INFO [2212] abcdxyz
2013/10/01 10:32:22,409 INFO [1121] abcdxyz

But sometimes my log files also has version number attached to them at the last.

source name with version number : server-nameA.2013-10-01.1
server-nameB.2013-10-01.1

Now splunk is also taking version number for the date and after indexing my events look like:

2010/10/01 10:33:23,343 INFO [2232] abcdxyz
2010/10/01 10:33:19,144 INFO [2394] abcdxyz
2010/10/01 10:34:23,239 INFO [1943] abcdxyz

i want the date to be 2013/10/01 not 2010/10/01 when the source name is something like server-nameA.2013-10-01.1

I have searched through the internet for an answer but none of them assured me a valid result.
Please, Can anyone help me fix this issue?

Many Regards...

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎12-17-2013 02:31 AM

I'd strongly suggest that you get the application to log complete timestamps (ideally in ISO format with timezone).

If you are unable to do so, are you able to remove the date from the filename?

If you are unable to do so, you can try modifying your props.conf like so:

[my_application_source_type]
TIME_FORMAT = %H:%M:%S,%3N
MAX_DAYS_AGO=1

If none of those options are viable, you can just use the current time:

[my_application_source_type]
DATETIME_CONFIG = CURRENT
0 Karma
Reply

luv
Explorer
‎12-18-2013 10:55 AM

[my_application_source_type]
TIME_FORMAT = %H:%M:%S,%3N
MAX_DAYS_AGO=1

I did the above changes in my props.conf and now splunk is taking the current date for my events. It's still not taking the date from the source name 😞

0 Karma
Reply

luv
Explorer
‎12-06-2013 11:49 AM

time stamp without version in source name:-
2013/10/01 10:32:21,453 INFO [2212] abcdxyz

time stamp with version in source name:-
2010/10/01 10:33:23,343 INFO [2232] abcdxyz

In the second example splunk is taking the version number of the source name hence the date is shifted from 2013/10/01 to 2010/10/01

0 Karma
Reply

somesoni2
Revered Legend
‎12-06-2013 11:07 AM

I don't see the event example you listed 2nd time is different from 1st one. Did you miss pasting the new data.?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...