Getting Data In

strptime() format for yyyymmddhhmmss?

Contributor

strptime() format expression examples

Below are some sample date formats with strptime() expressions that handle them.

1998-12-31 %Y-%m-%d 98-12-31 %y-%m-%d 1998 years, 312 days %Y years, %j days Jan 24, 2003 %b %d, %Y January 24, 2003 %B %d, %Y q|25 Feb '03 = 2003-02-25| q|%d %b '%y = %Y-%m-%d|

does one exist for yyyymmddhhmmss?

my source field will look like this /dir/to/file/on/20100526123445/file.txt

curious if the dynamic date extraction could figure this out.

Tags (1)
0 Karma
1 Solution

Super Champion

For extractions from a path, open up the $SPLUNK_HOME/etc/datetime.xml and search for entries prefixed with source::. It doesn't look like one exists right now, but you would probably have to add one. Since your timestamp has no breakers in it (there are no non-digits after the yyyymmmdd portion) then nothing in the source will match, based on the existing rexes in datetime.xml

I see you've had some other questions on this topic. I'm guessing that creating your own datetime.xml and it isn't working. Is that correct? If you post what you've tried someone may be able to help track it down.

And just for the record, the datetime.xml file uses all regexes, and is not a strptime() thing at all.


If you're looking to setup an entry for a TIME_FORMAT entry in a props.conf file? If so, try:

TIME_FORMAT = %Y%m%d%H%M%S

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

No, it will not get that format, though it might be able to get the date if the timestamps are in the file. If there is nothing in the file that can be misinterpreted as the date (which after all is just a 14-digit number), you may be able to use TIME_FORMAT. Otherwise, you should define a custom datetime.xml file.

0 Karma

Super Champion

For extractions from a path, open up the $SPLUNK_HOME/etc/datetime.xml and search for entries prefixed with source::. It doesn't look like one exists right now, but you would probably have to add one. Since your timestamp has no breakers in it (there are no non-digits after the yyyymmmdd portion) then nothing in the source will match, based on the existing rexes in datetime.xml

I see you've had some other questions on this topic. I'm guessing that creating your own datetime.xml and it isn't working. Is that correct? If you post what you've tried someone may be able to help track it down.

And just for the record, the datetime.xml file uses all regexes, and is not a strptime() thing at all.


If you're looking to setup an entry for a TIME_FORMAT entry in a props.conf file? If so, try:

TIME_FORMAT = %Y%m%d%H%M%S

View solution in original post

0 Karma

Contributor

I tried http://www.splunk.com/base/Documentation/4.1.2/Admin/TrainSplunkToRecognizeATimestamp to help build the regex on "/dir/to/file/on/20100526123445/file.txt" to parse the date fields... but to no avail. I wanted to use that regex for my _masheddate3 in a local datetime.xml for my app. Am i closer?

0 Karma

Contributor

I miss understood what TIME_PREFIX did. The closer i look at the results of the indexing ... i notice it didn't work. There were a bunch of coincidental matches on information w/in the file. 😕

0 Karma

Super Champion

Is the name (full path) of the log file stored within the log file itself? I didn't think you could use a TIME_PREFIX to match against source.

0 Karma

Contributor

if it was /home/kirb/logs/20100521123456/file.txt TIME_PREFIX=\/logs\/ TIME_FORMAT=%Y%m%d%H%M%S

0 Karma

Contributor

this worked... HOWEVER... it only worked if i specified TIME_PREFIX.

0 Karma

SplunkTrust
SplunkTrust

You should use something like %Y%m%d%H%M%S

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!