Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

input for splunk

achille83
Explorer
‎05-16-2020 12:28 PM

Hi,
I should monitor a log file in a Splunk all-in-one windows-based.
This file contains a sequence of rows with a time in the format HH:MM:SS and in the file name there is the date (DD-MM-YYYY).
How can I associate the right timestamp to the events taking the date from filename and the time from the rows contained in the file?
Thanks to everyone for the support.

Tags (1)
0 Karma
Reply

PavelP
Motivator
‎05-16-2020 02:32 PM

Hello @achille83

is the log file modification time/date corresponds with the file name? For example are the events in the 16-05-2020.log being written on 16-05-2020 or later? This is a pretty common scenario and splunk is able to handle it: https://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps

If no events in a source have a date, Splunk software tries to find a date in the source name or file name.

So your option is to configure a correct TIME_FORMAT and TIME_PREFIX and let splunk to extract data from the source file name.

I've just tested and it works for log named 2020-04-10.log (events have data 10 Apr 2020) but not for 10-04-2020.log so you may need to adjust your software to create logs with a right file name to "help" splunk.

If all this doesn't work, you can create a custom datetime.xml file, here is an example https://www.splunk.com/en_us/blog/tips-and-tricks/configure-splunk-to-pull-a-date-out-of-a-non-stand...

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...