Could anyone help me with the configuration for extraction of date from path, which is done automatically?
I am using Splunk6.2, and I have following path/file:
and there is no date info in each event.
00:00:01 key=1 00:00:02 key=2 00:00:03 key=3 00:00:04 key=4 00:00:05 key=5
With Splunk6.2, date information is automatically extracted without any manual configuration, so my event with the path above are indexed as:
15/05/20 00:00:01 key=1 15/05/20 00:00:02 key=2 15/05/20 00:00:03 key=3 15/05/20 00:00:04 key=4 15/05/20 00:00:05 key=5
This is very good, and correct indexing, but I want to know which configuration file and parameter is used to control this behavior.
I have read this, but count not find how to specify date format in the path for date.
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/HowSplunkextractstimestamps 4. If no events in a source have a date, Splunk Enterprise tries to find a date in the source name or file name. Time-of-day is not identified in filenames. (This requires that the events have a time, even though they don't have a date.)
Could anyone explain how date is detected in the path and whether I can change this behavior for different date format as well??
Thank you in advance!