Extract year from filename

C_HIEN · ‎10-31-2017

I have some old syslog files to index.
I'm trying to extract year from the filename and month, day, time from events (in a custom datetime.xml) without success.

Is it possible? How to do that?

Thanks

sbbadri · ‎11-01-2017

@C_HIEN

check that filename and source field have same value. If so you can extract by using regex or field extraction

1) rex field=source "/tmp/filename-(?<fileyear>\d+)"
2) props.conf

EXTRACT-fileyear = /tmp/filename-(?<fileyear>\d+) in source

C_HIEN · ‎11-01-2017

Thanks for your answer. I've already seen the answers you mention but it's not exactly what i'm trying to do... I want extract the year only from filename and get day and month from events... I've temporary solved my problem with an uf on a virtual machine within the system date was changed to the year of the files to index. But i still hope there is a better solution...

ekost · ‎11-01-2017

Sorry, I missed the "day, time from events" portion of the question. I think "sbbadri" has the piece you're looking for. Good luck!

ekost · ‎10-31-2017

These: one and two older Answers posts cover the typical scenarios and provide regex samples on using a custom datetime.xml to extract the date from the file name.

Extract year from filename

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!