Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to search for sources with a timestamp pattern

a212830
Champion
‎04-09-2016 04:58 PM

Hi,

I want to search for a set of files that end in YYYYMMDD_HHMMSS_PID.log format and I want to search on files that match today's date. How would I do that?

0 Karma
Reply

sloshburch
Ultra Champion
‎06-13-2016 12:45 PM

Use a regex tool to define/mature your pattern - https://regex101.com/ is great!

0 Karma
Reply

woodcock
Esteemed Legend
‎04-09-2016 06:18 PM

Like this:

<other parts of base search>  [|noop|stats count AS source|eval source=strftime(now(), "*%Y%m%d_*_*")]
0 Karma
Reply

a212830
Champion
‎04-09-2016 06:42 PM

Thanks. PID is actually a number, which can vary in length. How would I grab that as well?

0 Karma
Reply

woodcock
Esteemed Legend
‎04-09-2016 07:05 PM

Answer updated.

0 Karma
Reply

a212830
Champion
‎04-09-2016 08:12 PM

Thanks. Not working...

Here is a sample sources:

ORS_MMK_Node2_PR.20160409_224023_783.log
ORS_RTP_Node1_PR.20160409_221411_433.log
ORS_OMA_Node3_PR.20160409_214537_963.log

ORS_MMK_Node1_PR.20160409_212722_403.log

Here's my search:

index=main sourcetype=check_log_permissions RESOURCE_TYPE=file (RESOURCE!="du" AND RESOURCE!="cd") |fields RESOURCE |table RESOURCE | eval file_date=strftime(now(), "%Y%m%d__") |eval mySource="ORS__Node_PR." + file_date + ".log" |where match(RESOURCE,mySource)

Comes back with nothing. If I remove the where clause, it comes back with a bunch. I'd like to be able to search across all the source examples, using wildcards, rather than hard-coding anything.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-09-2016 09:22 PM

You didn't tell me that the field in question is RESOURCE. This is why you should ALWAYS post your search strings. I naturally assumed that you were using field source. Try this:

index=main sourcetype=check_log_permissions RESOURCE_TYPE=file (RESOURCE!="du" AND RESOURCE!="cd") [|noop|stats count AS RESOURCE|eval RESOURCE=strftime(now(), "*%Y%m%d_*_*")]
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...