Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to search for sources with a timestamp pattern
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to search for sources with a timestamp pattern
Hi,
I want to search for a set of files that end in YYYYMMDD_HHMMSS_PID.log format and I want to search on files that match today's date. How would I do that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use a regex tool to define/mature your pattern - https://regex101.com/ is great!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
<other parts of base search> [|noop|stats count AS source|eval source=strftime(now(), "*%Y%m%d_*_*")]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. PID is actually a number, which can vary in length. How would I grab that as well?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Answer updated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. Not working...
Here is a sample sources:
ORS_MMK_Node2_PR.20160409_224023_783.log
ORS_RTP_Node1_PR.20160409_221411_433.log
ORS_OMA_Node3_PR.20160409_214537_963.log
ORS_MMK_Node1_PR.20160409_212722_403.log
Here's my search:
index=main sourcetype=check_log_permissions RESOURCE_TYPE=file (RESOURCE!="du" AND RESOURCE!="cd") |fields RESOURCE |table RESOURCE | eval file_date=strftime(now(), "%Y%m%d__") |eval mySource="ORS__Node_PR." + file_date + ".log" |where match(RESOURCE,mySource)
Comes back with nothing. If I remove the where clause, it comes back with a bunch. I'd like to be able to search across all the source examples, using wildcards, rather than hard-coding anything.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You didn't tell me that the field in question is RESOURCE. This is why you should ALWAYS post your search strings. I naturally assumed that you were using field source. Try this:
index=main sourcetype=check_log_permissions RESOURCE_TYPE=file (RESOURCE!="du" AND RESOURCE!="cd") [|noop|stats count AS RESOURCE|eval RESOURCE=strftime(now(), "*%Y%m%d_*_*")]
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
