Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extracting date from file name via custom datetime.xml not working...

sf-mike
Splunk Employee
Splunk Employee
‎02-11-2014 06:22 AM

All,

Here is the file name and my datetime.xml config. When I apply this and try to import the data, Splunk gets stuck in preview and never shows the data.

Thanks in advance for the assist!

File Name:

ADESS_FANALL_01082014_01172014_195441.csv

Datetime.xml Config

<datetime>

<define name="_masheddate3" extract="month, day, year">
        <text><![CDATA[(?:^|source::|source:).*?ADESS_FANALL_([01]\d)([0123]\d)(20[01]\d)]]></text>
</define>

<datePatterns>
        <use name="_masheddate3"/>
</datePatterns>

</datetime>
Reply

snehalk
Communicator
‎09-17-2017 11:32 PM

Hello @1500372,

I have followed same steps which you have mentioned in comment but am not getting any date extraction. Could you please help me 

copy datetime.xml to specific directory.
cp -p /home/splunk/etc/datetime.xml /home/splunk/etc/system/local/my_datetime.xml

configure props.conf
[mysourcetype]
DATETIME_CONFIG = /etc/system/local/my_datetime.xml
...

Put your datetime configuration to my_datetime.xml (I didn't remove anything from my_datetime.xml)

restart Splunk and monitor file

Thanks in Adavance

0 Karma
Reply

ramdaspr
Contributor
‎02-12-2015 10:32 PM 
ADESS_FANALL_(\d{2})(\d{2})20(\d{2})

might help.

0 Karma
Reply

kphillipson
Path Finder
‎02-12-2015 05:44 PM

I myself have the same problem with a file name like the one above. Your xml output looks ok.

0 Karma
Reply

1500372
Explorer
‎05-03-2016 01:05 AM

Did you remove all of configuration from datetime.xml? Why don't you copy datetime.xml from /etc to your directory?
I got the same situation and I resolved that like below.

  1. copy datetime.xml to specific directory.
    cp -p /home/splunk/etc/datetime.xml /home/splunk/etc/system/local/my_datetime.xml

  2. configure props.conf
    [mysourcetype]
    DATETIME_CONFIG = /etc/system/local/my_datetime.xml
    ...

  3. Put your datetime configuration to my_datetime.xml (I didn't remove anything from my_datetime.xml)

  4. restart Splunk and monitor file
    At that moment,I saw my test file name of ADESS_FANALL_01082014_01172014_195441.csv was indexed with expected timestamp. (14/01/08 xx:xx:xx.xxx)

0 Karma
Reply

kphillipson
Path Finder
‎02-16-2015 06:58 AM

What date is Splunk indexing it? The last modified date? That is what my file is being indexed as. I have no field inside my csv to represent time or date. Does yours?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...