Splunk Search

A Regex to display the Current Date/Time

Dark_Ichigo
Builder

I want to write a Blacklist regex inputs.conf to ignore the latest log file based on the date compared to the current time, what would be the best way to write a regex that finds the current time/date in format of 12102012_11:41:57 which is 12/10/2012 at 11:41:57.

Any ideas?

0 Karma

Ayn
Legend

I'm not so sure you could do this with a regex unless you can somehow dynamically have it constantly rewritten. Regular expressions do not take any input, so you can't "feed" a regex with the current time in that way. Even if you could, performing calculations is something you simply cannot do with regular expressions anyway. I think your time is much better spent dealing with other ways of making sure the most recent log file differs in name or location compared to the other ones. Like moving "old" ones into a separate directory, having a somewhat different filename for the one being currently written to, etc.

0 Karma

Ayn
Legend

It does require some work, but the alternative is not to be able to solve this at all. I don't have any particular guide to refer you to - do you know some kind of script language?

As for your second question, refer to my original answer - regular expressions still cannot be used to perform that kind of calculation.

0 Karma

Dark_Ichigo
Builder

Seems like a difficult process to implement for a task like this, could you give me an example on where I could start?

Can I use NullQueue to get rid of unwanted events, by writing a regex to compare the timestamp of the event of the file to the current time and then sends it to NullQueue to prevent it from indexing?

0 Karma

Ayn
Legend

To my knowledge, it is not possible with a regular file monitor input. What you could do is to use a scripted input, and then build this logic into your script.

0 Karma

Dark_Ichigo
Builder

That is something we cannot do, We cant modify how the logs are being written or to any location, so I need to find away to avoid the log thats still being written to which is the latest log file, is it possible?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...