Hello @ips_mandar ,
I feel that I may be missing part of what you are asking for, but allow me to propose the following solution...
I have settings that will extract the date from the name of the file and the time of day from the event. Here are the sample events...
source= /Users/hansmaldonado/testing/dffgfXYLog09229190611.txt
_raw=30,04:56:47:928, abc:0xabc, 49.716720, -59.271553,197
If we assume that the last 6 digits in the source field represent the date, and if we assume that the time of day comes from "04:56:47:928" within the raw event, here are the settings that will extract _time as "06/11/2019 04:56:47.928"...
props.conf
[timestamp:test:splunkanswers]
TRANSFORMS-timestampeval = splunkanswers
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
pulldown_type = true
transforms.conf
[splunkanswers]
INGEST_EVAL=date=strptime(replace(source,".*(?=\d{6})",""), "%y%m%d"),date:=strftime(date,"%m/%d/%Y"),newtime=strftime(_time,"%H:%M:%S.%3N"),timestamp=date." ".newtime,_time:=strptime(timestamp,"%m/%d/%Y %H:%M:%S.%3N")
Note the syntax of ":=", which is required for INGEST_EVAL if you are performing operations on fields that already have values AND if you want to keep the new value. If you use "=", you will end up with multiple values for the fields.
My solution requires that you make the source/name of the file reflective of the date of the events, then we pull the time of day from the event.
Please let me know if this solution is acceptable for your needs. If not, please clarify how I might edit the solution to fit your use case.
... View more
