Solved: Search on an eval variable - find filenames with y...

raziasaduddin · ‎06-28-2013

I used eval to create a field with the yesterday's date:

| eval today=strftime(now(),"%Y%m%d")

I want to search on events where the filename field contains that today variable / yesterday's date. The last 8 characters of a filename will contain the file date (ex: file20130628.csv).

martin_mueller · ‎06-28-2013

You're probably better off defining an eval-based macro that computes the date string you're looking for, and including that in the initial search. That way you do not need to load all events, eval your field, and then have Splunk notice it would not have needed to load that particular event. Consider an eval-based macro called yesterday that looks like this:

strftime(relative_time(time(), "-d"), "%Y%m%d")

That allows you to write searches like this:

index=foo source=*`yesterday`* | further processing

That search will internally get expanded to this:

search index=foo source=*20130627* | further processing

The number of events Splunk needs to scan - and hence your search performance - should improve massively.

View solution in original post

splunkreal · ‎01-18-2018

Hello,

any solution without using a macro? Why does it filter with | search or | where filters?

I want to filter sources having yesterday date in their filenames.

Thanks.

* If this helps, please upvote or accept solution 🙂 *

raziasaduddin · ‎06-28-2013

it worked with WHERE:

| eval yesterday=strftime(relative_time(time(), "-d"), "%Y%m%d")
| where filedate=yesterday

raziasaduddin · ‎06-28-2013

This did not work. The today variable did not get expanded.

martin_mueller · ‎06-28-2013

You're probably better off defining an eval-based macro that computes the date string you're looking for, and including that in the initial search. That way you do not need to load all events, eval your field, and then have Splunk notice it would not have needed to load that particular event. Consider an eval-based macro called yesterday that looks like this:

strftime(relative_time(time(), "-d"), "%Y%m%d")

That allows you to write searches like this:

index=foo source=*`yesterday`* | further processing

That search will internally get expanded to this:

search index=foo source=*20130627* | further processing

The number of events Splunk needs to scan - and hence your search performance - should improve massively.

raziasaduddin · ‎07-01-2013

The macro worked well!

raziasaduddin · ‎06-28-2013

I got it to work so far:

| eval yesterday=strftime(relative_time(time(), "-d"), "%Y%m%d")

| where filedate=yesterday

I will create a macro soon.

To be clear, you are saying that the eval does this yesterday calculation for every event, whereas, the macro, will expand once per search?

starcher · ‎06-28-2013

I imagine the filename is equal to the source name for the event. So I would match against the source field.

raziasaduddin · ‎06-28-2013

Actually, in this case, it is not. It is in the event data and I rex it out.

index=_internal WatchedFile z:\logs ("Reached EOF" OR "off=0")
| rex "(?z:.+?)\s"

aholzer · ‎06-28-2013

You may want to look into the like or islike functions.

This should do the trick:

| where like(filename, "%"+today+"%")

Search on an eval variable - find filenames with yesterday's date

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms