I am a fairly new Splunk user..I have 5 different source types. Each sourcetype represents a unique txt file that generates every half hour. Each of the five txt files are written to subdirectories of D:\testing\. IE, D:\testing\subdir1, D:\testing\subdir2, etc.
I need to accomplish 4 goals:
Search only the last log file that generated for each Sourcetype (the -30m&m time timeframe).
Count the number of Lines in each file (subtracting 1 line from each).
Identify the Indextime for each of the 5 log files.
Display "Sourcetype", "Count", and "Indextime" in one table (sorted by count) for a total of 5 rows and 3 colums of data.
Search #1 - Displays Sourcetype and Count in a table with no problems.
earliest=-30m@m | search source="D:\\testing\\*" | stats sum(linecount) as "linecount" by sourcetype | eval Count=linecount-1 | sort 0 - "Count" | table "sourcetype" "Count"
Search #2 - Displays Sourcetype and Indextime in a table with no problems.
earliest=-30m@m | search source="D:\\testing\\*" | eval "Indextime"=strftime(_indextime,"%+")| table "sourcetype" "Indextime"
Search #3 - When I try to combine both searches into one, I get results similar to Search #1 but with no data in the Indextime column.
earliest=-30m@m | search source="D:\\testing\\*" | stats sum(linecount) as "linecount" by sourcetype | eval Count=linecount-1 | eval "Indextime"=strftime(_indextime,"%+") | sort 0 "Count" | table "sourcetype" "Count" "Indextime"
I've been struggling with this for a couple of days and would appreciate it if someone could help me come up with a solution that I can try.
Note that I have no choice but to use Indextime because there are no timestamps in these txt files.
... View more