Hi

FIXED: 2023-05-25

you can try something like this

props.conf

[source::/var/log/data_*.log]
TRANSFORMS-set_time = set_time

transforms.conf

[set_time]
INGEST_EVAL = _time = strptime(replace(source, ".*/data_(\d{8}).*","\1") + tostring(random() % 86400,"duration"),"%Y%m%d%H:%M:%S")

Or test in GUI:

| makeresults 
| eval source="/var/log/data_20220507.log" 
| fields - _time
``` above set test data ```
| eval _time = strptime(replace(source, ".*/data_(\d{8}).*","\1") + tostring(random() % 86400,"duration"),"%Y%m%d%H:%M:%S")

I haven't tested those files, just in GUI, so there could be some mistakes, but  base idea is working.

 r. Ismo