Splunk Search

How to write a search to get a list of all the source files that were indexed today?

rakesh_498115
Motivator

Hi Team,

I have a forwarder installed and configured to forward logs that it is receiving daily. The timestamp in these logs are different and it is configured as timestamp. Now my requirement is to get the data from all the files that are indexed today. How can I get these results in a search?

Below are the list of files I indexed on Dec 20th.

-rw-r--r--   1 gaiext     ab           25457 Dec 20 00:06 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220000622.dat.gz
-rw-r--r--   1 gaiext     ab           12448 Dec 20 02:03 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220020355.dat.gz
-rw-r--r--   1 gaiext     ab            5432 Dec 20 04:04 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220040418.dat.gz
-rw-r--r--   1 gaiext     ab            3076 Dec 20 06:04 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220060408.dat.gz
-rw-r--r--   1 gaiext     ab            2155 Dec 20 08:04 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220080407.dat.gz
-rw-r--r--   1 gaiext     ab            3249 Dec 20 10:04 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220100421.dat.gz
-rw-r--r--   1 gaiext     ab            7943 Dec 20 12:06 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220120628.dat.gz
-rw-r--r--   1 gaiext     ab           17644 Dec 20 14:06 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220140652.dat.gz
-rw-r--r--   1 gaiext     ab           24234 Dec 20 16:06 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220160607.dat.gz
-rw-r--r--   1 gaiext     ab           23714 Dec 20 18:04 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220180453.dat.gz
-rw-r--r--   1 gaiext     ab           23330 Dec 20 20:05 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220200525.dat.gz
-rw-r--r--   1 gaiext     ab           23653 Dec 20 22:05 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220220519.dat.g

How do I search to get all the files on a daily basis. If I log in to the search head on the 21st, I need to get all the files that are indexed on the 21st.

index="myindex" | where _indextime=now() 

I tried the above, but didn't work? Is there any better approach? please help

Tags (3)
0 Karma

jplumsdaine22
Influencer

try the metadata command. You can filter with where like any other search. Just modify the time value in the relative_time section to get the time range you are after. Note that as it's a generating search it must come first in the search bar

|metadata type=sources index="myindex"|where recentTime > relative_time(now(), "-24h@h")

And of course if you want to use the filenames in a subsequent search

<main search>  [|metadata type=sources index="myindex"|where recentTime > relative_time(now(), "-24h@h")|fields source] | etc

If you are instead asking for a generic range picker then just try

<your search> _index_earliest=-24h@h | etc

Now go and read these:
http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/SearchTimeModifiers
http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/Metadata
http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/Where

0 Karma

jmallorquin
Builder
 index="myindex" | eval time = _indextime | where time > 1450656000 |stats count by source
0 Karma

jmallorquin
Builder

Hi,
index="myindex" | stats count by source

Hope help you

0 Karma

rakesh_498115
Motivator

Hi jmallorquin ,

i dont want to list all the files , i jus need to list the files that are indexed today and i cannot use time timepicker because my event time is different in each of these files .

how do i use the search now ??

thanks.

0 Karma

jmallorquin
Builder
index="myindex" | eval time = _indextime | where time > 1450656000 |stats count by source
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...