Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracting date from file name via custom datetime.xml not working...

sf-mike
Splunk Employee
Splunk Employee
‎02-11-2014 06:22 AM

All,

Here is the file name and my datetime.xml config. When I apply this and try to import the data, Splunk gets stuck in preview and never shows the data.

Thanks in advance for the assist!

File Name:

ADESS_FANALL_01082014_01172014_195441.csv

Datetime.xml Config

<datetime>

<define name="_masheddate3" extract="month, day, year">
        <text><![CDATA[(?:^|source::|source:).*?ADESS_FANALL_([01]\d)([0123]\d)(20[01]\d)]]></text>
</define>

<datePatterns>
        <use name="_masheddate3"/>
</datePatterns>

</datetime>
Reply

snehalk
Communicator
‎09-17-2017 11:32 PM

Hello @1500372,

I have followed same steps which you have mentioned in comment but am not getting any date extraction. Could you please help me 

copy datetime.xml to specific directory.
cp -p /home/splunk/etc/datetime.xml /home/splunk/etc/system/local/my_datetime.xml

configure props.conf
[mysourcetype]
DATETIME_CONFIG = /etc/system/local/my_datetime.xml
...

Put your datetime configuration to my_datetime.xml (I didn't remove anything from my_datetime.xml)

restart Splunk and monitor file

Thanks in Adavance

0 Karma
Reply

ramdaspr
Contributor
‎02-12-2015 10:32 PM 
ADESS_FANALL_(\d{2})(\d{2})20(\d{2})

might help.

0 Karma
Reply

kphillipson
Path Finder
‎02-12-2015 05:44 PM

I myself have the same problem with a file name like the one above. Your xml output looks ok.

0 Karma
Reply

1500372
Explorer
‎05-03-2016 01:05 AM

Did you remove all of configuration from datetime.xml? Why don't you copy datetime.xml from /etc to your directory?
I got the same situation and I resolved that like below.

  1. copy datetime.xml to specific directory.
    cp -p /home/splunk/etc/datetime.xml /home/splunk/etc/system/local/my_datetime.xml

  2. configure props.conf
    [mysourcetype]
    DATETIME_CONFIG = /etc/system/local/my_datetime.xml
    ...

  3. Put your datetime configuration to my_datetime.xml (I didn't remove anything from my_datetime.xml)

  4. restart Splunk and monitor file
    At that moment,I saw my test file name of ADESS_FANALL_01082014_01172014_195441.csv was indexed with expected timestamp. (14/01/08 xx:xx:xx.xxx)

0 Karma
Reply

kphillipson
Path Finder
‎02-16-2015 06:58 AM

What date is Splunk indexing it? The last modified date? That is what my file is being indexed as. I have no field inside my csv to represent time or date. Does yours?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...