Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate _time for search in metadata?

indeed_2000
Motivator
‎11-22-2022 10:16 PM

Hi

need to generate current date like this "20201123" and use as a search filter on metadata.

AFAIK there is no "_time" in metadata so need to generate current date for search filter.

 

here is my query, 

|metadata type=sources index="app" |table source

 

any idea?

Thanks,

 

Labels (4)
Labels
Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎11-24-2022 02:31 PM

It is still unclear.  If I must speculate, you are concerned about the 3rd path segment in source that resembles a date, and you want to select those that matches yesterday's date.  Is this correct?  Such intentions may be obvious to you.  But none can be certain to anyone else.  Not only is the intention absent in text, but also none of your illustrated code contains any selection command.

If the 3rd path segment is of concern, you should first extract that part, then filter based on that field, e.g.,

| metadata type=sources index="app"
| rex field=source "/data/app/(?<path_date>\d+)" ``` lots of simplification assumptions here ```
| eval yesterday=strftime(relative_time (now(), "-1d@d"),"%Y%m%d")
| where path_date == yesterday

 

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎11-22-2022 11:43 PM

metadata command does not always give you what you think - you filter the 3 fields that metadata returns first/last/recent, but I am not sure you will get what you want.

If you are trying to find sources for a particular index within a time window, you are probably better off using tstats, where you can use a _time filter.

 

 

Reply
Solved! Jump to solution

indeed_2000
Motivator
‎11-23-2022 12:37 AM

@bowesmana the reason I use metadata is so fast.

i encounter with huge files.

any other idea?

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎11-23-2022 01:46 AM

This is very confusing.  @gcusello already showed how to use now().  Is there still something missing?  An example of using now() could be to determine if a source has not updated since today at midnight:

| metadata type=sources index="app"
| where recentTime < relative_time(now(), "-0d@d")

Maybe you can explain what is the use of this _time you are trying to generate.

For example, the above use case can also be achieved without where command, as is explained in metadata#Time ranges.  Is there something that cannot be done with time picker?

Reply
Solved! Jump to solution

indeed_2000
Motivator
‎11-23-2022 03:39 AM

@yuanliu ok here is the query:

| metadata type=sources index="app"
| eval _time=relative_time (now(), "-1d@d")
| eval time=strftime(_time,"%Y%m%d")
| table source time

here is the result:

/data/app/20221122/CUS/app.log                                                                20221122
/data/app/20221122/CUS/app.log.2022-11-22                                 20221122
/data/app/20221119/CUS2/app-exception.log.2022-11-22    20221122
/data/app/20221119/CUS2/app.log.2022-11-22                             20221122

 

expected result:

/data/app/20221122/CUS/app.log                                                                20221122
/data/app/20221122/CUS/app.log.2022-11-22                                 20221122

 

any idea?

Thanks,

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎11-24-2022 02:31 PM

It is still unclear.  If I must speculate, you are concerned about the 3rd path segment in source that resembles a date, and you want to select those that matches yesterday's date.  Is this correct?  Such intentions may be obvious to you.  But none can be certain to anyone else.  Not only is the intention absent in text, but also none of your illustrated code contains any selection command.

If the 3rd path segment is of concern, you should first extract that part, then filter based on that field, e.g.,

| metadata type=sources index="app"
| rex field=source "/data/app/(?<path_date>\d+)" ``` lots of simplification assumptions here ```
| eval yesterday=strftime(relative_time (now(), "-1d@d"),"%Y%m%d")
| where path_date == yesterday

 

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-22-2022 11:34 PM

Hi @indeed_2000,

if you have events in an index, you must have _time associated to each event, otherwise they weren't indexed!

Anyway, you can use eval and now() to assign the current time value to the _time field:

| metadata type=sources index="app" 
| eval _time=now()
| table _time source

in addition, you can use the addinfo command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo) to add other information to your search, between them there's the info_search_time that you can use.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...