Solved: How to setup a query to search and find file names...

Log_wrangler · ‎03-15-2019

Hi,

I have a query that searches a field i.e. filenames with a value in this format >>

filename = folder_name/sub_folder_name/date/data   
for example 
filename=email/outlook/2019/03/25/outlook-2019-03-15-12:05:00:987Z

I am looking to create an alert when the folder is not populated with data, and I want to use a now() or other time variable in the file name.

for example

index=main sourcetype=files filename=email/outlook/{time variable}/*

So if today is 3/15/2019 the current date variable would be 2019/03/15, and tomorrow the query would use 2019/03/16 as the variable...

I hope that makes sense. I basically want to search a field using a current date variable...

Thanks

woodcock · ‎03-15-2019

Like this:

index=main sourcetype=files [ |makeresults | eval filename = "email/outlook/" . strftime(now(), "%Y/%m/%d") . "/*" | format ]

View solution in original post

woodcock · ‎03-15-2019

Like this:

index=main sourcetype=files [ |makeresults | eval filename = "email/outlook/" . strftime(now(), "%Y/%m/%d") . "/*" | format ]

How to setup a query to search and find file names with the current time value?

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!

What’s New in Splunk Cloud Platform 9.1.2308?