https://community.splunk.com/t5/Splunk-Search/Read-data-between-in-log-file-based-on-date/m-p/343278#M162475 <P>Splunk reads whole file everyday and it can lead to increase in DB size.<BR /> I want Splunk to only data between current and next day date from log file.</P> <P>No like first Splunk whole file and do indexing and then it give me one day data.</P> Tue, 13 Mar 2018 04:11:45 GMT axs21 2018-03-13T04:11:45Z https://community.splunk.com/t5/Splunk-Search/Read-data-between-in-log-file-based-on-date/m-p/343273#M162470 <P>Hi,</P> <P>I have a log file and want to read everyday data only.<BR /> File Format is like</P> <P>sometextsometext<BR /> <STRONG>Friday, March 9, 2018 03:08:15 PM SGT</STRONG><BR /> Somedata<BR /> Somedata<BR /> <STRONG>Friday, March 10, 2018 03:08:15 PM SGT</STRONG><BR /> SomeDataSomeData<BR /> <STRONG>Saturday, March 11, 2018 03:08:15 PM SGT</STRONG></P> <P>I want to read data from previous day to current day. Is is possible ? Please suggest.<BR /> E.g. in above file,<BR /> I want to read data between March 9 to March 10<BR /> Next Day, I want to read from March 10 to March 11<BR /> and so on</P> <P>Is it possible to achieve? Please suggest.<BR /> Thanks,<BR /> AXS</P> Fri, 09 Mar 2018 07:13:41 GMT https://community.splunk.com/t5/Splunk-Search/Read-data-between-in-log-file-based-on-date/m-p/343273#M162470 axs21 2018-03-09T07:13:41Z https://community.splunk.com/t5/Splunk-Search/Read-data-between-in-log-file-based-on-date/m-p/343274#M162471 <P>Is the data from this file indexed into Splunk? What dictates an event break - each new line? Or is this data in a lookup file? </P> Fri, 09 Mar 2018 14:25:42 GMT https://community.splunk.com/t5/Splunk-Search/Read-data-between-in-log-file-based-on-date/m-p/343274#M162471 elliotproebstel 2018-03-09T14:25:42Z https://community.splunk.com/t5/Splunk-Search/Read-data-between-in-log-file-based-on-date/m-p/343275#M162472 <P>How often the file is updated, real-time or once a day??</P> Fri, 09 Mar 2018 16:09:16 GMT https://community.splunk.com/t5/Splunk-Search/Read-data-between-in-log-file-based-on-date/m-p/343275#M162472 somesoni2 2018-03-09T16:09:16Z https://community.splunk.com/t5/Splunk-Search/Read-data-between-in-log-file-based-on-date/m-p/343276#M162473 <P>Relative time windows is the solution. But it does not make much sense, how can you read logs from today if the day is not finish?</P> <PRE><CODE>| search earliest=-@1d latest=+@1d </CODE></PRE> <P>You should instead </P> <PRE><CODE>| search earliest=-1d </CODE></PRE> Sun, 11 Mar 2018 07:44:01 GMT https://community.splunk.com/t5/Splunk-Search/Read-data-between-in-log-file-based-on-date/m-p/343276#M162473 valiquet 2018-03-11T07:44:01Z https://community.splunk.com/t5/Splunk-Search/Read-data-between-in-log-file-based-on-date/m-p/343277#M162474 <P>The file is updated on realtime.<BR /> Another thing is splunk reads whole file but I want Splunk to read data only from current date and to next date from log file.</P> Tue, 13 Mar 2018 04:09:34 GMT https://community.splunk.com/t5/Splunk-Search/Read-data-between-in-log-file-based-on-date/m-p/343277#M162474 axs21 2018-03-13T04:09:34Z https://community.splunk.com/t5/Splunk-Search/Read-data-between-in-log-file-based-on-date/m-p/343278#M162475 <P>Splunk reads whole file everyday and it can lead to increase in DB size.<BR /> I want Splunk to only data between current and next day date from log file.</P> <P>No like first Splunk whole file and do indexing and then it give me one day data.</P> Tue, 13 Mar 2018 04:11:45 GMT https://community.splunk.com/t5/Splunk-Search/Read-data-between-in-log-file-based-on-date/m-p/343278#M162475 axs21 2018-03-13T04:11:45Z https://community.splunk.com/t5/Splunk-Search/Read-data-between-in-log-file-based-on-date/m-p/343279#M162476 <P>Each new line dictates an event break</P> Thu, 15 Mar 2018 03:19:53 GMT https://community.splunk.com/t5/Splunk-Search/Read-data-between-in-log-file-based-on-date/m-p/343279#M162476 axs21 2018-03-15T03:19:53Z