Solved: How to search for a source file with a timestamp i...

karthikTIL · ‎11-02-2014

HI, I have files everyday with timestamp automatically like
report_3nov2014.csv
report_4nov2014.csv
report_5nov2014.csv, etc

Please let me know how do i search file generated today(report_3nov2014.csv) based on timestamp while i search using source="..." command

somesoni2 · ‎11-03-2014

Another alternative

index=blah sourcetype=blahblah source=[|gentimes start=-1 | eval search="*report_" + strftime(now(), "%e%b%Y") + ".csv" | table search] | rest of your search...

View solution in original post

somesoni2 · ‎11-03-2014

Another alternative

index=blah sourcetype=blahblah source=[|gentimes start=-1 | eval search="*report_" + strftime(now(), "%e%b%Y") + ".csv" | table search] | rest of your search...

MuS · ‎11-02-2014

Hi karthikTIL,

try something like this:

... | eval file_date=strftime(now(), "%e%b%Y") | eval mySource="report_" + file_date + ".csv" | where match(source, mySource) | ...

or a more generic approach

... | eval file_date=strftime(now(), "%e%b%Y") | eval mySource="." + file_date + "." | where match(source, mySource) | ...

This will use the mySource field as regex on the source field and returns all sources with matching dates in the value.

hope this helps ...

cheers, MuS

karthikTIL · ‎11-04-2014

Thank you!

MuS · ‎11-04-2014

another approach just came up my mind:
if you always need today's or yesterday's date in the source name, than you could use an eval based macro containing something like this:

strftime(relative_time(time(), "-d"), "%e%b%Y")

If your macro is named yesterday you can use it like this in your searches:

 index=foo  source=*`yesterday`* | ...

How to search for a source file with a timestamp in the name?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms