Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get props and transforms to extract time from source?

power12
Communicator
‎04-28-2023 01:02 PM

Hello Splunkers ,

 

I have the following source file which has the date/time in it .. How do I write the props and transforms to use the source date/time as the _time

 

Below is the sample file

/project/admin/sv/re/sniff/pre/logs/2022-12-16T11-57-36/status 

i want the _time or indexed time to be 2022-12-16 11-57-36.

 

Thanks in Advance 

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-25-2023 01:05 AM

Hi

Another way is use to INGEST_EVAL. I cannot say which one is more efficient.

Add props.conf

[<source or sourcetype name>]
TRANSFORMS-set_time = set_time_from_file_path

transforms.conf

[set_time_from_file_path]
INGEST_EVAL = _time = strptime(replace(source, ".*(\d{4}-\d\d-\d\dT\d\d-\d\d-\d\d)/status","\1"),"%Y-%m-%dT%H-%M-%S")

 You also need to check TZ information should you add it here or not?  Definitely needs if you have source systems on different timezones and/or source systems and indexers / HFs are on different TZ.

r. Ismo

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-28-2023 11:16 PM

Hi @power12,

you have to configure datetime_config.xml and point to it in props.conf:

props.conf:

[your_sourcetype]
DATETIME_CONFIG = /opt/splunk/etc/apps/your_app/local/datetime.xml

in datetime_config.xml:

<datetime>

<define name="_timeAndDateFromFilename" extract="year, month, day, hour, minute, second">
        <text><![CDATA[source::\/project\/admin\/sv\/re\/sniff\/pre\/logs\/?(\d{4})-(\d{2})-(\d{2}T(\d{2})-(\d{2})-(\d{2})]]></text>
</define>

<timePatterns>
        <use name="_timeAndDateFromFilename"/>
</timePatterns>

</datetime>

As described at https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/Configuredatetimexml#Examples_of_custom_date... 

Ciao.

Giuseppe

 

0 Karma
Reply

power12
Communicator
‎05-01-2023 11:23 AM

@gcusello  Thank you for your message...do you think there is a ) missing before the T

(\d{4})-(\d{2})-(\d{2}T(\d{2})-(\d{2})-(\d{2})
(\d{4})-(\d{2})-(\d{2})T(\d{2})-(\d{2})-(\d{2})

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-01-2023 11:20 PM

Hi @power12,

yes, correct, sorry!

Ciao.

Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎05-24-2023 09:02 PM

hi @power12 ,

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...