Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

index on regex field from source

hiddenkirby
Contributor
‎05-21-2010 07:28 PM

I have a dir of text files named like such scriptcalled_201005211317_stdout.txt

how do i index them on that date? I understand splunk already tries to pull the date from the source.. but if i can specify a regex i would prefer that... and i think it would be faster.

TIA,

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-22-2010 01:00 AM

See here: http://blogs.splunk.com/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename/

The default Splunk settings do many different formats, but you can be as specific as you like.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-22-2010 01:00 AM

See here: http://blogs.splunk.com/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename/

The default Splunk settings do many different formats, but you can be as specific as you like.

Reply
Solved! Jump to solution

hiddenkirby
Contributor
‎05-24-2010 03:50 PM

Thank you! 🙂

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎05-21-2010 08:39 PM

Timestamp extraction from source is controlled in the $SPLUNK_HOME/etc/datetime.xml file. Search the file for "source::" and you'll see the formats supported.

I think this is your only option. And regexes are definitely involved, although probably not in the way you were thinking.

0 Karma
Reply
Solved! Jump to solution

hiddenkirby
Contributor
‎05-21-2010 09:44 PM

i found http://www.splunk.com/base/Documentation/4.1.2/Admin/TrainSplunkToRecognizeATimestamp

i'll try to create my own datetime.xml 😛

0 Karma
Reply
Solved! Jump to solution

hiddenkirby
Contributor
‎05-21-2010 09:38 PM

or even something ot format it?
[source::/Applications/splunk/var/spool/splunk] TIME_PREFIX = (\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2}) FORMAT = $1/$2/$3 $4:$5:$6

0 Karma
Reply
Solved! Jump to solution

hiddenkirby
Contributor
‎05-21-2010 09:38 PM

or would i do something similar to this in props.conf [source::/Applications/splunk/var/spool/splunk]
TIME_PREFIX = \d{14}

0 Karma
Reply
Solved! Jump to solution

hiddenkirby
Contributor
‎05-21-2010 09:30 PM

can i create a _masheddate3 w/ my very specific regex?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...