Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Finding embedded dates for an automated search

jboustead
Explorer
‎10-06-2020 07:44 AM

My search is pulling out events with the date embedded within the event, eg:

[2020-10-05 07:23:08.308] ALL **** sending file= /u01/shared/pc/files/OUT/IF_148/Transferring/XXX_XXXXXX..XX_LUIS_312XXX_20201005_001.csv

 

[2020-10-05 13:40:17.101] ALL **** sending file= /u01/shared/pc/files/OUT/IF_148/Transferring/XXX_XXXXXX..XX_EDIW_312XXX_20200721_003.CSV

The embedded dates in the format '202001005' & '202001005' respectively. Is there a way to search in Splunk for events that will only pick up the events for a certain date embedded within them? - without having to manually alter the search each time?

 

(current search for ref: **** sending file= /u01/shared/pc/files/OUT/IF_148/Transferring/*312*)

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-06-2020 08:02 AM

The regex command may help.  It filters events based on a regular expression.

index=foo "**** sending file= /u01/shared/pc/files/OUT/IF_148/Transferring/*312*"
| regex file="2020\d{4}"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-06-2020 08:02 AM

The regex command may help.  It filters events based on a regular expression.

index=foo "**** sending file= /u01/shared/pc/files/OUT/IF_148/Transferring/*312*"
| regex file="2020\d{4}"
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

jboustead
Explorer
‎10-08-2020 03:46 AM

That is great - thanks  !

I am currently trying to use a regex to pick out the events with the date '2020XXXX' - I want the regex to search pick up any event date providing it does not have 'reg' following the '.' or '_' (pick out all the event dates below, except the first). How do I do this? 

Current regex: 2020\d{4}[\.\_]

List of different events\logs from the splunk search:

_20201007144100_20200416_reg.zip

_20201007103200_20201007.zip

_20201007095000_20201007.zip

_20201007092933_20201007.zip

_20201007061717_20201007_txn.zip

_20201007041719_20201007.zip

@drich

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...