strptime() format expression examples
Below are some sample date formats with strptime() expressions that handle them.
1998-12-31 %Y-%m-%d 98-12-31 %y-%m-%d 1998 years, 312 days %Y years, %j days Jan 24, 2003 %b %d, %Y January 24, 2003 %B %d, %Y q|25 Feb '03 = 2003-02-25| q|%d %b '%y = %Y-%m-%d|
does one exist for yyyymmddhhmmss?
my source field will look like this /dir/to/file/on/20100526123445/file.txt
curious if the dynamic date extraction could figure this out.
For extractions from a path, open up the $SPLUNK_HOME/etc/datetime.xml
and search for entries prefixed with source::
. It doesn't look like one exists right now, but you would probably have to add one. Since your timestamp has no breakers in it (there are no non-digits after the yyyymmmdd
portion) then nothing in the source will match, based on the existing rexes in datetime.xml
I see you've had some other questions on this topic. I'm guessing that creating your own datetime.xml
and it isn't working. Is that correct? If you post what you've tried someone may be able to help track it down.
And just for the record, the datetime.xml
file uses all regexes, and is not a strptime()
thing at all.
If you're looking to setup an entry for a TIME_FORMAT
entry in a props.conf
file? If so, try:
TIME_FORMAT = %Y%m%d%H%M%S
No, it will not get that format, though it might be able to get the date if the timestamps are in the file. If there is nothing in the file that can be misinterpreted as the date (which after all is just a 14-digit number), you may be able to use TIME_FORMAT. Otherwise, you should define a custom datetime.xml file.
For extractions from a path, open up the $SPLUNK_HOME/etc/datetime.xml
and search for entries prefixed with source::
. It doesn't look like one exists right now, but you would probably have to add one. Since your timestamp has no breakers in it (there are no non-digits after the yyyymmmdd
portion) then nothing in the source will match, based on the existing rexes in datetime.xml
I see you've had some other questions on this topic. I'm guessing that creating your own datetime.xml
and it isn't working. Is that correct? If you post what you've tried someone may be able to help track it down.
And just for the record, the datetime.xml
file uses all regexes, and is not a strptime()
thing at all.
If you're looking to setup an entry for a TIME_FORMAT
entry in a props.conf
file? If so, try:
TIME_FORMAT = %Y%m%d%H%M%S
I tried http://www.splunk.com/base/Documentation/4.1.2/Admin/TrainSplunkToRecognizeATimestamp to help build the regex on "/dir/to/file/on/20100526123445/file.txt" to parse the date fields... but to no avail. I wanted to use that regex for my _masheddate3 in a local datetime.xml for my app. Am i closer?
I miss understood what TIME_PREFIX did. The closer i look at the results of the indexing ... i notice it didn't work. There were a bunch of coincidental matches on information w/in the file. 😕
Is the name (full path) of the log file stored within the log file itself? I didn't think you could use a TIME_PREFIX
to match against source.
if it was /home/kirb/logs/20100521123456/file.txt TIME_PREFIX=\/logs\/ TIME_FORMAT=%Y%m%d%H%M%S
this worked... HOWEVER... it only worked if i specified TIME_PREFIX.
You should use something like %Y%m%d%H%M%S