Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Parse date without having a time

OL
Communicator
‎10-08-2013 02:09 PM

Hi all,

I'm trying to index some csv files which contains data without a timestamp. I only have the date which is part of the name of the files. I don't mind not having the time as what it is important is the day is has been created. Unfortunately, the changes I have done result to the same output: the datetime of the event is the last modified datetime of the file. Here is what I have done:

Name of the file: "13 02 01 myfile.csv"

Props:

[my_csv_file]
DATETIME_CONFIG = \etc\system\local\datetime.xml
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1

\etc\system\local\datetime.xml:

...
<define name="_masheddate3" extract="year, month, day">
  <text><![CDATA[(?:^|source::).*?(?<!\d|\d\.|-)(?:20)?([901]\d) (0\d|1[012]) ([012]\d|3[01])(?!\d|-| {2,}).*\.csv]]></text>
</define>
...
<datePatterns>
      <use name="_masheddate3"/>
      ...
</datePatterns>

Anyone knows how to solve this issue?

Regards,
Olivier

Reply

sideview
SplunkTrust
SplunkTrust
‎10-08-2013 06:22 PM

I might be reading too much into the position of the "..." in <datePatterns>, but if you've actually listed your <use> node as the first one in your datetime.xml, instead of as the last one, that might be it.

The last one wins I think so it might be just matching an earlier rule before it gets to yours.

Move it to the end of the list.

0 Karma
Reply

OL
Communicator
‎10-09-2013 06:30 AM

Hello,

I have tested a situation where I have a timestamp in the CSV file and everything works as expected. So the problem is really that he cannot find any time in the events so it ignores the date as well.

Anyone knows how to force to a specific time?

Regards,
Olivier

0 Karma
Reply

OL
Communicator
‎10-08-2013 11:14 PM

Hello sideview,

Thank you for your answer. Yes indeed, I have placed the at the first place as I thought this was the order (_usdate1 is used first!). I have moved it at the last place but I have the same issue 😞

Regards,
Olivier

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...