Re: Extracting event date from file path

swdonline · ‎09-04-2011

hello all,

I have a set of log files being created in a directory structure as:
/data/hostname/year/month/day/logfile

I understand that I can use the host_segment command to extract the field. I cannot, however, seem to find a way for splunk to automatically extract the date from this path. Any recommendations would be appreciated.

gelica · ‎07-08-2013

Hi,
Did you ever find a way to do this? 🙂

n0b1ta · ‎04-09-2012

I'm having the same proble,. I'm quite new to splunk.
Can anyone please describe more details ?
How can I setup dynamic directories based on timestamp?

Thanks

Ayn · ‎09-04-2011

While I haven't tried this is a setup of my own, according to the documentation Splunk should be doing this automatically if it cannot find a timestamp for events in a file.

See the precedence rules for how Splunk assigns timestamps to events here: http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps

swdonline · ‎09-05-2011

Thanks Ayn. I did indeed check the docs prior to posting and what I think is the problem is "4. If no events in a source have a date, look in the source (or file) name (Must have time in the event)." Specifically, my events have no timestamps. It's just a summary of items for a 24 hour period. So it seems to be defaulting to #5 or #6. Is there a workaround to force date extraction without timestamps? Or a way to force a timestamp of 00:00 without scripting input?

Extracting event date from file path

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation