Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

A Regex to display the Current Date/Time

Dark_Ichigo
Builder
‎10-23-2012 11:43 PM

I want to write a Blacklist regex inputs.conf to ignore the latest log file based on the date compared to the current time, what would be the best way to write a regex that finds the current time/date in format of 12102012_11:41:57 which is 12/10/2012 at 11:41:57.

Any ideas?

0 Karma
Reply

Ayn
Legend
‎10-23-2012 11:49 PM

I'm not so sure you could do this with a regex unless you can somehow dynamically have it constantly rewritten. Regular expressions do not take any input, so you can't "feed" a regex with the current time in that way. Even if you could, performing calculations is something you simply cannot do with regular expressions anyway. I think your time is much better spent dealing with other ways of making sure the most recent log file differs in name or location compared to the other ones. Like moving "old" ones into a separate directory, having a somewhat different filename for the one being currently written to, etc.

0 Karma
Reply

Ayn
Legend
‎10-24-2012 12:11 AM

It does require some work, but the alternative is not to be able to solve this at all. I don't have any particular guide to refer you to - do you know some kind of script language?

As for your second question, refer to my original answer - regular expressions still cannot be used to perform that kind of calculation.

0 Karma
Reply

Dark_Ichigo
Builder
‎10-24-2012 12:08 AM

Seems like a difficult process to implement for a task like this, could you give me an example on where I could start?

Can I use NullQueue to get rid of unwanted events, by writing a regex to compare the timestamp of the event of the file to the current time and then sends it to NullQueue to prevent it from indexing?

0 Karma
Reply

Ayn
Legend
‎10-23-2012 11:58 PM

To my knowledge, it is not possible with a regular file monitor input. What you could do is to use a scripted input, and then build this logic into your script.

0 Karma
Reply

Dark_Ichigo
Builder
‎10-23-2012 11:55 PM

That is something we cannot do, We cant modify how the logs are being written or to any location, so I need to find away to avoid the log thats still being written to which is the latest log file, is it possible?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...