I used eval to create a field with the yesterday's date:
| eval today=strftime(now(),"%Y%m%d")
I want to search on events where the filename field contains that today variable / yesterday's date. The last 8 characters of a filename will contain the file date (ex: file20130628.csv).
You're probably better off defining an eval-based macro that computes the date string you're looking for, and including that in the initial search. That way you do not need to load all events, eval your field, and then have Splunk notice it would not have needed to load that particular event. Consider an eval-based macro called yesterday
that looks like this:
strftime(relative_time(time(), "-d"), "%Y%m%d")
That allows you to write searches like this:
index=foo source=*`yesterday`* | further processing
That search will internally get expanded to this:
search index=foo source=*20130627* | further processing
The number of events Splunk needs to scan - and hence your search performance - should improve massively.
Hello,
any solution without using a macro? Why does it filter with | search or | where filters?
I want to filter sources having yesterday date in their filenames.
Thanks.
it worked with WHERE:
| eval yesterday=strftime(relative_time(time(), "-d"), "%Y%m%d")
| where filedate=yesterday
This did not work. The today variable did not get expanded.
You're probably better off defining an eval-based macro that computes the date string you're looking for, and including that in the initial search. That way you do not need to load all events, eval your field, and then have Splunk notice it would not have needed to load that particular event. Consider an eval-based macro called yesterday
that looks like this:
strftime(relative_time(time(), "-d"), "%Y%m%d")
That allows you to write searches like this:
index=foo source=*`yesterday`* | further processing
That search will internally get expanded to this:
search index=foo source=*20130627* | further processing
The number of events Splunk needs to scan - and hence your search performance - should improve massively.
The macro worked well!
I got it to work so far:
| eval yesterday=strftime(relative_time(time(), "-d"), "%Y%m%d")
| where filedate=yesterday
I will create a macro soon.
To be clear, you are saying that the eval does this yesterday calculation for every event, whereas, the macro, will expand once per search?
I imagine the filename is equal to the source name for the event. So I would match against the source field.
Actually, in this case, it is not. It is in the event data and I rex it out.
index=_internal WatchedFile z:\logs ("Reached EOF" OR "off=0")
| rex "(?
You may want to look into the like or islike functions.
This should do the trick: