Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

getting event timestamp from source file name

lyndac
Contributor
‎05-26-2010 05:48 PM

I have a .csv file that I'm indexing. There is no timestamp information in the .csv file, but there is a date in the file name itself. How can I tell splunk to use the date in the SOURCE as the timestamp for each event in the file?

Ex filenames:

MY_FILE-2010-05-25.csv
MY_FILE-2010-05-26.csv
Tags (1)
Reply

lyndac
Contributor
‎05-27-2010 02:16 PM

it's using the modification time of the file.

0 Karma
Reply

Lowell
Super Champion
‎05-26-2010 07:55 PM

This should be done automatically.

You can get more info about a custom setup on this blog entry:

However, this is a pretty popular date format, so you shouldn't need a custom setup. This date should match the _isodate named format. (As seen in the default datetime.xml file.)

Reply

lyndac
Contributor
‎05-27-2010 02:01 PM

I updated my props.conf to have TIME_PREFIX=FILE- TIME_FORMAT=%Y-%m-%d MAX_TIMESTAMP_LOOKAHEAD=20 and SPLUNK used the modified date of the file as the timestamp. (not the date in the filename).

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-27-2010 04:35 AM

To make sure it gets the date from the file name, configure you TIME_PREFIX, TIME_FORMAT, and MAX_TIMESTAMP_LOOKAHEAD so that there is no possibility that it will find a date elsewhere in your event text. (Splunk is somewhat aggressive about this if you leave it on its own.) Once it fails there, it will find its way to finding the date in the file name.

0 Karma
Reply

piebob
Splunk Employee
Splunk Employee
‎05-26-2010 06:53 PM

is splunk not automatically getting the timestamp from the filename? what is being used instead?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...