Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extracting date from file name via custom datetime.xml not working...

sf-mike
Splunk Employee
Splunk Employee
‎02-11-2014 06:22 AM

All,

Here is the file name and my datetime.xml config. When I apply this and try to import the data, Splunk gets stuck in preview and never shows the data.

Thanks in advance for the assist!

File Name:

ADESS_FANALL_01082014_01172014_195441.csv

Datetime.xml Config

<datetime>

<define name="_masheddate3" extract="month, day, year">
        <text><![CDATA[(?:^|source::|source:).*?ADESS_FANALL_([01]\d)([0123]\d)(20[01]\d)]]></text>
</define>

<datePatterns>
        <use name="_masheddate3"/>
</datePatterns>

</datetime>
Reply

snehalk
Communicator
‎09-17-2017 11:32 PM

Hello @1500372,

I have followed same steps which you have mentioned in comment but am not getting any date extraction. Could you please help me 

copy datetime.xml to specific directory.
cp -p /home/splunk/etc/datetime.xml /home/splunk/etc/system/local/my_datetime.xml

configure props.conf
[mysourcetype]
DATETIME_CONFIG = /etc/system/local/my_datetime.xml
...

Put your datetime configuration to my_datetime.xml (I didn't remove anything from my_datetime.xml)

restart Splunk and monitor file

Thanks in Adavance

0 Karma
Reply

ramdaspr
Contributor
‎02-12-2015 10:32 PM 
ADESS_FANALL_(\d{2})(\d{2})20(\d{2})

might help.

0 Karma
Reply

kphillipson
Path Finder
‎02-12-2015 05:44 PM

I myself have the same problem with a file name like the one above. Your xml output looks ok.

0 Karma
Reply

1500372
Explorer
‎05-03-2016 01:05 AM

Did you remove all of configuration from datetime.xml? Why don't you copy datetime.xml from /etc to your directory?
I got the same situation and I resolved that like below.

  1. copy datetime.xml to specific directory.
    cp -p /home/splunk/etc/datetime.xml /home/splunk/etc/system/local/my_datetime.xml

  2. configure props.conf
    [mysourcetype]
    DATETIME_CONFIG = /etc/system/local/my_datetime.xml
    ...

  3. Put your datetime configuration to my_datetime.xml (I didn't remove anything from my_datetime.xml)

  4. restart Splunk and monitor file
    At that moment,I saw my test file name of ADESS_FANALL_01082014_01172014_195441.csv was indexed with expected timestamp. (14/01/08 xx:xx:xx.xxx)

0 Karma
Reply

kphillipson
Path Finder
‎02-16-2015 06:58 AM

What date is Splunk indexing it? The last modified date? That is what my file is being indexed as. I have no field inside my csv to represent time or date. Does yours?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...