Hi Splunk support,
I have a set of log file which name as below: (today is 20170723)
application_20170721.log
application_20170722.log
application_20170723.log
In unix, it should be like application_date +%Y%m%d
.log
in order to search the latest log file, what should the search command.
so that sth can be like source="application_date +%Y%m%d
.log"
How is this search sentence?
(your search) [| tstats max(_time) as wk_time where sourcetype=(your sourcetype)|eval source="application_"+strftime(wk_time,"%Y%m%d")+".log"| fields source]
OR
where sourcetype=(your sourcetype)→where source="application_*.log"
Hi oolongcat,
you could use
[monitor://your_path/application_*.log]
index = your_index
sourcetype = your_sourcetype
disabled = 0
ignoreOlderThan = 2d
In this way you have all events of last two days (or a different time range) and not older.
Bye.
Giuseppe
Hi Cusello,
Thanks for you reply.
your way seems will ignore all the log file which older than 2 days, but this is not what I want.
Is there any way like as below:
[search source="application_" +strftime(time(),"%Y%m%d") + ".log"]