Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use source path time when ingesting data

power12
Communicator
‎02-27-2024 01:14 PM

I have the following source .I want to extract time from source when data is ingesting

 

source="/logs/gs/ute-2024-02-05a/2024-02-05_16-17-54/abc.log"

 

in props 

 

TRANSFORMS-set_time =source_path_time

 

 

In transforms 

 

[set_time_from_file_path]
INGEST_EVAL = | eval _time = strptime(replace(source, ".*/ute-(\\d{4}-\\d{2}-\\d{2}[a-z])/([^/]+/[^/]+).*","\1"),"%y-%m-%d_%H-%M-%S")

 

 

 

I tried testing it but I am unable to get the _time

 

| makeresults 
| eval source="/logs/gs/ute-2024-02-05a/2024-02-05_16-17-54/abc.log" 
| fields - _time
``` above set test data ```
| eval _time = strptime(replace(source, ".*/compute-(\\d{4}-\\d{2}-\\d{2}[a-z])/([^/]+/[^/]+).*","\1"),"%y-%m-%d_%H-%M-%S")

 

 

Thanks in Advance

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

power12
Communicator
‎02-28-2024 06:59 AM

Thank You @victor_menezes  .I tried below and it worked .

| eval _time = strptime(replace(source, ".*(\d\d\d\d-\d\d-\d\d\_\d\d-\d\d-\d\d).*","\1"),"%Y-%m-%d_%H-%M-%S")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

victor_menezes
Communicator
‎02-27-2024 06:52 PM

Your props is not matching the stanza name of transforms. Not sure if that was a typo...
About a typo, you don't need that first pipe in the ingest_eval. Try this instead (I changed the regex a bit)

Props.conf:
[your_sourcetype]
TRANSFORMS-set_time = set_time_from_file_path

Transforms.conf
[set_time_from_file_path]
INGEST_EVAL = eval _time = strptime(replace(source, ".*/ute-(\\d{4}-\\d{2}-\\d{2}[a-z]+)/([^/]+/[^/]+).*","\\1"), "%Y-%m-%d_%H-%M-%S")

Reply
Solved! Jump to solution
Solution

power12
Communicator
‎02-28-2024 06:59 AM

Thank You @victor_menezes  .I tried below and it worked .

| eval _time = strptime(replace(source, ".*(\d\d\d\d-\d\d-\d\d\_\d\d-\d\d-\d\d).*","\1"),"%Y-%m-%d_%H-%M-%S")

0 Karma
Reply
Solved! Jump to solution

victor_menezes
Communicator
‎02-28-2024 07:30 AM

Awesome! Glad to know that.

Please remember to mark this as resolved so others can know about it.

Happy splunking!

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...