Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use folder name/path as TimeStamp

p3hndrx
Explorer
‎01-27-2020 10:20 AM

Greetings---
I am in the process of building an add-on.
I am building this add-on to utilize input data stored in folders with the structure:

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.Normal.Classic.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.High.Classic.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.Very-High.Classic.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.All-Levels.rank.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.Normal.rank.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.High.rank.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.Very-High.rank.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.All-Levels.brawl.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.Normal.brawl.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.High.brawl.csv

basedir\APP\log\activity\MLBB\TierData\01272020\en\SA\Week.Very-High.brawl.csv

I would like to use the date in the folder path (in this case, 01272020) as the Timestamp, ideally at Index Time.

I see this documentation:
https://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps

And this article:
https://answers.splunk.com/answers/94763/set-timestamp-based-on-file-source-path.html

But when I place:

EVAL-_time=strptime(file_name, "%m%d%Y")

in my props.conf, it didn't seem to work.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-27-2020 01:37 PM

Ideally you need to extract the part of the path that contains a date into a field first, and then run the eval against that.
Assuming file_name is already extracted..

..your search..|rex file_name (?P<stringDate>\d{8})|eval _time=strptime(stringDate, "%m%d%Y")

Give that a go.

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-27-2020 01:37 PM

Ideally you need to extract the part of the path that contains a date into a field first, and then run the eval against that.
Assuming file_name is already extracted..

..your search..|rex file_name (?P<stringDate>\d{8})|eval _time=strptime(stringDate, "%m%d%Y")

Give that a go.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...