Splunk Search

Extract data of only one day from the csv file

harshal_chakran
Builder

Hi,

I have a csv file which looks like this

alt text

I am trying to display a table with "ID" and "timestamp "displaying only recent Day i.e. for 2014-10-8 .
It should look like:

alt text

I have tried bucket and span command, but didnt get the expected output.
Please Help...!!!

Tags (4)
0 Karma

esix_splunk
Splunk Employee
Splunk Employee

What are you trying to do?

Bucket and Span are all timestamp based. If you are importing a CSV file and it doesnt recognize it by default, you'll have to specify the timestamp field. Otherwise your imported csv is just two fields; ID,DATE. These fields containing ID,and DATE values.

If you want the date field to be recognized as the time stamp for the field ID, then you'll need to modify the sourcetype via props.conf.

http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/Configuretimestamprecognition#Edit_timestamp_...

[mycsv]

TIME_PREFIX = ,

TIME_FORMAT = %Y-%M-%d %h:%m:%s.%N3

You'll need to work on the strptime formatting of your 'timestamp' field..

harshal_chakran
Builder

Thanks,
I have converted it into splunk readable timestamp now.

eval timestamp=strptime(Date, "%Y-%m-%dT%H:%M:%S.%lZ")|eval req_time=strftime(timestamp, "%d/%m/%Y %I:%M:%S %p")|

But how can I extract only the recent day's rows data?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Search for event times in last 24 hours with and eval, as Ledion says..

... | where timestamp > now() - 24*3600

0 Karma

Ledion_Bitincka
Splunk Employee
Splunk Employee

Is the timestamp of the records recognized by Splunk as the event time? If so you should be able use the time range picker to select only the last day.

If the Date field is not used for timestamp extraction you can parse it using strptime function in eval and then use where to filter out the events, at a high level the search should look smth like this; .... | eval t=strptime(Date, .....) | where t > now() - 24*3600

0 Karma

harshal_chakran
Builder

Hi,
Thanks Ledion
I have tried the same query you posted above. But I guess the result I am looking for is little different.
Actually the data I am getting is not continuous, hence whatever is the date on logs, whether of 2014 or 2011, I need to extract data of only last day from the logs. It should not have any correlation with current date.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...