Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

getting event timestamp from source file name

lyndac
Contributor
‎05-26-2010 05:48 PM

I have a .csv file that I'm indexing. There is no timestamp information in the .csv file, but there is a date in the file name itself. How can I tell splunk to use the date in the SOURCE as the timestamp for each event in the file?

Ex filenames:

MY_FILE-2010-05-25.csv
MY_FILE-2010-05-26.csv
Tags (1)
Reply

lyndac
Contributor
‎05-27-2010 02:16 PM

it's using the modification time of the file.

0 Karma
Reply

Lowell
Super Champion
‎05-26-2010 07:55 PM

This should be done automatically.

You can get more info about a custom setup on this blog entry:

However, this is a pretty popular date format, so you shouldn't need a custom setup. This date should match the _isodate named format. (As seen in the default datetime.xml file.)

Reply

lyndac
Contributor
‎05-27-2010 02:01 PM

I updated my props.conf to have TIME_PREFIX=FILE- TIME_FORMAT=%Y-%m-%d MAX_TIMESTAMP_LOOKAHEAD=20 and SPLUNK used the modified date of the file as the timestamp. (not the date in the filename).

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-27-2010 04:35 AM

To make sure it gets the date from the file name, configure you TIME_PREFIX, TIME_FORMAT, and MAX_TIMESTAMP_LOOKAHEAD so that there is no possibility that it will find a date elsewhere in your event text. (Splunk is somewhat aggressive about this if you leave it on its own.) Once it fails there, it will find its way to finding the date in the file name.

0 Karma
Reply

piebob
Splunk Employee
Splunk Employee
‎05-26-2010 06:53 PM

is splunk not automatically getting the timestamp from the filename? what is being used instead?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...