One thing I would like to add to this is that if there is a timestamp in the raw events (without a date). You can also include it in the INGEST_EVAL. In addition you can also set the character position of the file name to using x-coordinates to define the date (or text) to extract. Ex.  File: /path/to/file/MY_FILE-25-02.22.log  Raw Event:  08:36:22:27910 | {event log details|[that are not]:// important-or-relevant (to the overall) solution..\\} INGEST_EVAL = _time=strptime(substr(source,-12,8).substr(_raw,0,15), "%d-%m.%y%H:%M:%S:%Q")   ... View more