Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use ingest-eval when filename always changing ?

mah
Builder
‎06-25-2020 01:01 AM

Hi,

How can I index multiple file with only one INGEST-EVAL ?

For instance, I have a filename that can change : 

prod-1-%d%m%Y%H%M%S.txt

prod-2-%d%m%Y%H%M%S.txt

prod-3-%d%m%Y%H%M%S.txt

I tried this :

[timestampeval]
INGEST_EVAL = _time=strptime(replace(source,".*(?=/)/",""),"prod-.-%d%m%Y%H%M%S.txt")

But doesn't work... 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

mthomas_splunk
Splunk Employee
Splunk Employee
‎06-29-2020 04:20 AM

INGEST_EVAL can be used for many different purposes. I believe in this case, you are wanting to take a timestamp from the file name, and use it for each event ingested. You also want the logic to ignore "prod-x-" (where 'x' is a positive integer).

The following entry in your transforms.conf should do the trick: 

 

INGEST_EVAL = _time=strptime(replace(source,"(^.*(?=/)/prod-\d+-|\.txt$)",""),"%d%m%Y%H%M%S")

 

Tags (2)
0 Karma
Reply

mah
Builder
‎07-08-2020 12:32 AM

Hi @mthomas_splunk ,

It is exactly what I try to set up in my case. 

I tested your answer and works great ! 

Thanks for your help !  

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...