Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Use source path time when ingesting data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following source .I want to extract time from source when data is ingesting
source="/logs/gs/ute-2024-02-05a/2024-02-05_16-17-54/abc.log"
in props
TRANSFORMS-set_time =source_path_time
In transforms
[set_time_from_file_path]
INGEST_EVAL = | eval _time = strptime(replace(source, ".*/ute-(\\d{4}-\\d{2}-\\d{2}[a-z])/([^/]+/[^/]+).*","\1"),"%y-%m-%d_%H-%M-%S")
I tried testing it but I am unable to get the _time
| makeresults
| eval source="/logs/gs/ute-2024-02-05a/2024-02-05_16-17-54/abc.log"
| fields - _time
``` above set test data ```
| eval _time = strptime(replace(source, ".*/compute-(\\d{4}-\\d{2}-\\d{2}[a-z])/([^/]+/[^/]+).*","\1"),"%y-%m-%d_%H-%M-%S")
Thanks in Advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank You @victor_menezes .I tried below and it worked .
| eval _time = strptime(replace(source, ".*(\d\d\d\d-\d\d-\d\d\_\d\d-\d\d-\d\d).*","\1"),"%Y-%m-%d_%H-%M-%S")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your props is not matching the stanza name of transforms. Not sure if that was a typo...
About a typo, you don't need that first pipe in the ingest_eval. Try this instead (I changed the regex a bit)
Props.conf:
[your_sourcetype]
TRANSFORMS-set_time = set_time_from_file_path
Transforms.conf
[set_time_from_file_path]
INGEST_EVAL = eval _time = strptime(replace(source, ".*/ute-(\\d{4}-\\d{2}-\\d{2}[a-z]+)/([^/]+/[^/]+).*","\\1"), "%Y-%m-%d_%H-%M-%S")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank You @victor_menezes .I tried below and it worked .
| eval _time = strptime(replace(source, ".*(\d\d\d\d-\d\d-\d\d\_\d\d-\d\d-\d\d).*","\1"),"%Y-%m-%d_%H-%M-%S")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome! Glad to know that.
Please remember to mark this as resolved so others can know about it.
Happy splunking!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
