Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Parse date without having a time

OL
Communicator
‎10-08-2013 02:09 PM

Hi all,

I'm trying to index some csv files which contains data without a timestamp. I only have the date which is part of the name of the files. I don't mind not having the time as what it is important is the day is has been created. Unfortunately, the changes I have done result to the same output: the datetime of the event is the last modified datetime of the file. Here is what I have done:

Name of the file: "13 02 01 myfile.csv"

Props:

[my_csv_file]
DATETIME_CONFIG = \etc\system\local\datetime.xml
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1

\etc\system\local\datetime.xml:

...
<define name="_masheddate3" extract="year, month, day">
  <text><![CDATA[(?:^|source::).*?(?<!\d|\d\.|-)(?:20)?([901]\d) (0\d|1[012]) ([012]\d|3[01])(?!\d|-| {2,}).*\.csv]]></text>
</define>
...
<datePatterns>
      <use name="_masheddate3"/>
      ...
</datePatterns>

Anyone knows how to solve this issue?

Regards,
Olivier

Reply

sideview
SplunkTrust
SplunkTrust
‎10-08-2013 06:22 PM

I might be reading too much into the position of the "..." in <datePatterns>, but if you've actually listed your <use> node as the first one in your datetime.xml, instead of as the last one, that might be it.

The last one wins I think so it might be just matching an earlier rule before it gets to yours.

Move it to the end of the list.

0 Karma
Reply

OL
Communicator
‎10-09-2013 06:30 AM

Hello,

I have tested a situation where I have a timestamp in the CSV file and everything works as expected. So the problem is really that he cannot find any time in the events so it ignores the date as well.

Anyone knows how to force to a specific time?

Regards,
Olivier

0 Karma
Reply

OL
Communicator
‎10-08-2013 11:14 PM

Hello sideview,

Thank you for your answer. Yes indeed, I have placed the at the first place as I thought this was the order (_usdate1 is used first!). I have moved it at the last place but I have the same issue 😞

Regards,
Olivier

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...