Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk and Nested, time-stamped, folders

emckinlay
New Member
‎05-16-2012 09:36 AM

My log files are stored in nested folders of the following form:

1_1_2012

..... 08_45_10_12

.......... logfile1

.......... logfile2

The top level is the date (1/1/2012). The next level is the time (8:45:10.12). I am not seeing a way to handle this kind of folder structure. Seems like Splunk whats files to be in a single folder. Is there a way to deal with this structure?

Second question:
I am not seeing a way to tell Splunk what file format to use based on the name of the log file. Is this possible?

I am brand new to Splunk and it looks like it does a LOT of stuff really elegantly. Just have some questions.
Thanks for your help!

Eric

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-16-2012 11:13 AM

Do the events in the logfiles themselves have a date/time stamp on each event? As long as it can derive the date/time from the events themselves, it doesn't care about your directory format and can recurse as far as needed in order to find the files. But, if you need to get the date itself from the name/path of the file, that does get a little trickier. We're going to need some additional information to help.

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-16-2012 07:02 PM

Splunk will recurse by default. For optimum results, the events in the file need a date and a time stamp on each event. As far as the "format" or "schema", you can apply a different sourcetype based on the name of the file, then apply different settings (timestamp recognition, field extraction) based on the sourcetype. This is probably best extracted out to a separate question.

0 Karma
Reply

emckinlay
New Member
‎05-16-2012 05:32 PM

There is a timestamp in each file. I have the parsing logic set up for getting at the data for a particular file. Just not sure how to get the recursion to happen over the whole folder tree. Does this just happen by default?

Also there is still my second question about applying different file format schemas based on the file extension.

Thanks for your help,
E

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...