How to search for sources with a timestamp pattern

a212830 · ‎04-09-2016

Hi,

I want to search for a set of files that end in YYYYMMDD_HHMMSS_PID.log format and I want to search on files that match today's date. How would I do that?

sloshburch · ‎06-13-2016

Use a regex tool to define/mature your pattern - https://regex101.com/ is great!

woodcock · ‎04-09-2016

Like this:

<other parts of base search>  [|noop|stats count AS source|eval source=strftime(now(), "*%Y%m%d_*_*")]

a212830 · ‎04-09-2016

Thanks. PID is actually a number, which can vary in length. How would I grab that as well?

woodcock · ‎04-09-2016

Answer updated.

a212830 · ‎04-09-2016

Thanks. Not working...

Here is a sample sources:

ORS_MMK_Node2_PR.20160409_224023_783.log
ORS_RTP_Node1_PR.20160409_221411_433.log
ORS_OMA_Node3_PR.20160409_214537_963.log

ORS_MMK_Node1_PR.20160409_212722_403.log

Here's my search:

index=main sourcetype=check_log_permissions RESOURCE_TYPE=file (RESOURCE!="du" AND RESOURCE!="cd") |fields RESOURCE |table RESOURCE | eval file_date=strftime(now(), "%Y%m%d__") |eval mySource="ORS__Node_PR." + file_date + ".log" |where match(RESOURCE,mySource)

Comes back with nothing. If I remove the where clause, it comes back with a bunch. I'd like to be able to search across all the source examples, using wildcards, rather than hard-coding anything.

woodcock · ‎04-09-2016

You didn't tell me that the field in question is RESOURCE. This is why you should ALWAYS post your search strings. I naturally assumed that you were using field source. Try this:

index=main sourcetype=check_log_permissions RESOURCE_TYPE=file (RESOURCE!="du" AND RESOURCE!="cd") [|noop|stats count AS RESOURCE|eval RESOURCE=strftime(now(), "*%Y%m%d_*_*")]

How to search for sources with a timestamp pattern

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?