Solved: Re: How to setup a query to search and find file n...

Log_wrangler · ‎03-15-2019

Hi,

I have a query that searches a field i.e. filenames with a value in this format >>

filename = folder_name/sub_folder_name/date/data   
for example 
filename=email/outlook/2019/03/25/outlook-2019-03-15-12:05:00:987Z

I am looking to create an alert when the folder is not populated with data, and I want to use a now() or other time variable in the file name.

for example

index=main sourcetype=files filename=email/outlook/{time variable}/*

So if today is 3/15/2019 the current date variable would be 2019/03/15, and tomorrow the query would use 2019/03/16 as the variable...

I hope that makes sense. I basically want to search a field using a current date variable...

Thanks

woodcock · ‎03-15-2019

Like this:

index=main sourcetype=files [ |makeresults | eval filename = "email/outlook/" . strftime(now(), "%Y/%m/%d") . "/*" | format ]

View solution in original post

woodcock · ‎03-15-2019

Like this:

index=main sourcetype=files [ |makeresults | eval filename = "email/outlook/" . strftime(now(), "%Y/%m/%d") . "/*" | format ]

How to setup a query to search and find file names with the current time value?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?