Getting Data In

How to search for sources with a timestamp pattern

a212830
Champion

Hi,

I want to search for a set of files that end in YYYYMMDD_HHMMSS_PID.log format and I want to search on files that match today's date. How would I do that?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Use a regex tool to define/mature your pattern - https://regex101.com/ is great!

0 Karma

woodcock
Esteemed Legend

Like this:

<other parts of base search>  [|noop|stats count AS source|eval source=strftime(now(), "*%Y%m%d_*_*")]
0 Karma

a212830
Champion

Thanks. PID is actually a number, which can vary in length. How would I grab that as well?

0 Karma

woodcock
Esteemed Legend

Answer updated.

0 Karma

a212830
Champion

Thanks. Not working...

Here is a sample sources:

ORS_MMK_Node2_PR.20160409_224023_783.log
ORS_RTP_Node1_PR.20160409_221411_433.log
ORS_OMA_Node3_PR.20160409_214537_963.log

ORS_MMK_Node1_PR.20160409_212722_403.log

Here's my search:

index=main sourcetype=check_log_permissions RESOURCE_TYPE=file (RESOURCE!="du" AND RESOURCE!="cd") |fields RESOURCE |table RESOURCE | eval file_date=strftime(now(), "%Y%m%d__") |eval mySource="ORS__Node_PR." + file_date + ".log" |where match(RESOURCE,mySource)

Comes back with nothing. If I remove the where clause, it comes back with a bunch. I'd like to be able to search across all the source examples, using wildcards, rather than hard-coding anything.

0 Karma

woodcock
Esteemed Legend

You didn't tell me that the field in question is RESOURCE. This is why you should ALWAYS post your search strings. I naturally assumed that you were using field source. Try this:

index=main sourcetype=check_log_permissions RESOURCE_TYPE=file (RESOURCE!="du" AND RESOURCE!="cd") [|noop|stats count AS RESOURCE|eval RESOURCE=strftime(now(), "*%Y%m%d_*_*")]
0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...