I have a dir of text files named like such scriptcalled_201005211317_stdout.txt
how do i index them on that date? I understand splunk already tries to pull the date from the source.. but if i can specify a regex i would prefer that... and i think it would be faster.
TIA,
See here: http://blogs.splunk.com/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename/
The default Splunk settings do many different formats, but you can be as specific as you like.
See here: http://blogs.splunk.com/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename/
The default Splunk settings do many different formats, but you can be as specific as you like.
Thank you! 🙂
Timestamp extraction from source is controlled in the $SPLUNK_HOME/etc/datetime.xml
file. Search the file for "source::
" and you'll see the formats supported.
I think this is your only option. And regexes are definitely involved, although probably not in the way you were thinking.
i found http://www.splunk.com/base/Documentation/4.1.2/Admin/TrainSplunkToRecognizeATimestamp
i'll try to create my own datetime.xml 😛
or even something ot format it?
[source::/Applications/splunk/var/spool/splunk] TIME_PREFIX = (\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2}) FORMAT = $1/$2/$3 $4:$5:$6
or would i do something similar to this in props.conf [source::/Applications/splunk/var/spool/splunk]
TIME_PREFIX = \d{14}
can i create a _masheddate3 w/ my very specific regex?