Though the row data has timestamp but I want to replace this timestamp with date of the filename.
For example:
event:20120507214400,12,10,12028593134,12038621218,10,10101,1
filename:Test_20120503_000.log
I want to get "20120503" instead of "20120507214400".
How can I do?
Thank you very much.
The only way I could think of accomplishing this would be using the transform.conf and props.conf. Below are code snippets that might get you most of the way.
http://docs.splunk.com/Documentation/Splunk/latest/admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction
transform.conf
[cust-time]
REGEX = \w+_([^_]{8})
SOURCE_KEY = source
DESK_KEY = timestamp
props.conf
[custom-log]
TRANSFORMS-1=cust-time
DESK_KEY = timestamp does not exist.
DESK_KEY = _time is fine, but _time must be in EPOC time.... That's my problem too.
This docs section covers how Splunk assigns timestamps to events: http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps
You might have success with setting a bogus TIME_FORMAT
so Splunk is forced to resort to other ways of getting timestamps.
Thank you for your reply.
I delete the time of the events,then splunk doesn't fetch the filename's time but modification time.Splunk can't parse the filename?
filename: "mmss_reference_20120211_001.log "