Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use folder name/path as TimeStamp

p3hndrx
Explorer
‎01-27-2020 10:20 AM

Greetings---
I am in the process of building an add-on.
I am building this add-on to utilize input data stored in folders with the structure:

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.Normal.Classic.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.High.Classic.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.Very-High.Classic.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.All-Levels.rank.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.Normal.rank.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.High.rank.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.Very-High.rank.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.All-Levels.brawl.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.Normal.brawl.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.High.brawl.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.Very-High.brawl.csv

I would like to use the date in the folder path (in this case, 01272020) as the Timestamp, ideally at Index Time.

I see this documentation:
https://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps

And this article:
https://answers.splunk.com/answers/94763/set-timestamp-based-on-file-source-path.html

But when I place:

EVAL-_time=strptime(file_name, "%m%d%Y")

in my props.conf, it didn't seem to work.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-27-2020 01:37 PM

Ideally you need to extract the part of the path that contains a date into a field first, and then run the eval against that.
Assuming file_name is already extracted..

..your search..|rex file_name (?P<stringDate>\d{8})|eval _time=strptime(stringDate, "%m%d%Y")

Give that a go.

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-27-2020 01:37 PM

Ideally you need to extract the part of the path that contains a date into a field first, and then run the eval against that.
Assuming file_name is already extracted..

..your search..|rex file_name (?P<stringDate>\d{8})|eval _time=strptime(stringDate, "%m%d%Y")

Give that a go.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out &gt;&gt; As our brave ...