Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extracting date from file name via custom datetime.xml not working...

sf-mike
Splunk Employee
Splunk Employee
‎02-11-2014 06:22 AM

All,

Here is the file name and my datetime.xml config. When I apply this and try to import the data, Splunk gets stuck in preview and never shows the data.

Thanks in advance for the assist!

File Name:

ADESS_FANALL_01082014_01172014_195441.csv

Datetime.xml Config

<datetime>

<define name="_masheddate3" extract="month, day, year">
        <text><![CDATA[(?:^|source::|source:).*?ADESS_FANALL_([01]\d)([0123]\d)(20[01]\d)]]></text>
</define>

<datePatterns>
        <use name="_masheddate3"/>
</datePatterns>

</datetime>
Reply

snehalk
Communicator
‎09-17-2017 11:32 PM

Hello @1500372,

I have followed same steps which you have mentioned in comment but am not getting any date extraction. Could you please help me 

copy datetime.xml to specific directory.
cp -p /home/splunk/etc/datetime.xml /home/splunk/etc/system/local/my_datetime.xml

configure props.conf
[mysourcetype]
DATETIME_CONFIG = /etc/system/local/my_datetime.xml
...

Put your datetime configuration to my_datetime.xml (I didn't remove anything from my_datetime.xml)

restart Splunk and monitor file

Thanks in Adavance

0 Karma
Reply

ramdaspr
Contributor
‎02-12-2015 10:32 PM 
ADESS_FANALL_(\d{2})(\d{2})20(\d{2})

might help.

0 Karma
Reply

kphillipson
Path Finder
‎02-12-2015 05:44 PM

I myself have the same problem with a file name like the one above. Your xml output looks ok.

0 Karma
Reply

1500372
Explorer
‎05-03-2016 01:05 AM

Did you remove all of configuration from datetime.xml? Why don't you copy datetime.xml from /etc to your directory?
I got the same situation and I resolved that like below.

  1. copy datetime.xml to specific directory.
    cp -p /home/splunk/etc/datetime.xml /home/splunk/etc/system/local/my_datetime.xml

  2. configure props.conf
    [mysourcetype]
    DATETIME_CONFIG = /etc/system/local/my_datetime.xml
    ...

  3. Put your datetime configuration to my_datetime.xml (I didn't remove anything from my_datetime.xml)

  4. restart Splunk and monitor file
    At that moment,I saw my test file name of ADESS_FANALL_01082014_01172014_195441.csv was indexed with expected timestamp. (14/01/08 xx:xx:xx.xxx)

0 Karma
Reply

kphillipson
Path Finder
‎02-16-2015 06:58 AM

What date is Splunk indexing it? The last modified date? That is what my file is being indexed as. I have no field inside my csv to represent time or date. Does yours?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...