Here's what you need to do :
$SPLUNK_HOME/etc/datetime.xml
as a reference for the format to use for your own custom datetime.xmlJust to get you started, here's what you'll probably want to have in your own instance of datetime.xml to extract dates from your file source :
(...)
(...)
The easy way to go about this would be to copy $SPLUNK_HOME/etc/datetime.xml
to your custom app and then add the regular expression definition at the end of the existing ones, and reference it under
as shown above.
props.conf:::::
[mysourcetype]
TRANSFORMS-change_time= change_time
transforms.conf:::::
[change_time]
INGEST_EVAL = _time = strptime ( replace(source,".+(\d+-\d+-\d+).+", "\1"), "%H-%M-%S")
Here's what you need to do :
$SPLUNK_HOME/etc/datetime.xml
as a reference for the format to use for your own custom datetime.xmlJust to get you started, here's what you'll probably want to have in your own instance of datetime.xml to extract dates from your file source :
(...)
(...)
The easy way to go about this would be to copy $SPLUNK_HOME/etc/datetime.xml
to your custom app and then add the regular expression definition at the end of the existing ones, and reference it under
as shown above.
It seems a time is necessary at least.
"If no events in a source have a date, Splunk Enterprise tries to find one in the source name or file name. (This requires that the events have a time, even though they don't have a date.)"
@asimagu
Hi, I've had the same problem, couldn't get it to work at all, Splunk used the modification date instead.
I ended up with overriding _time by using EVAL in props.conf. Not the most elegant solution, but it works for now.
However, it would be nicer to do it at index time as it should, so I really hope you fint a solution that works for me as well 🙂
hi guys, I have tried replicating this same config and filename on Splunk 5.0.2 but it is not working for me
any known issues on Splunk 5 about this??