Hi Team,
I have a forwarder installed and configured to forward logs that it is receiving daily. The timestamp in these logs are different and it is configured as timestamp. Now my requirement is to get the data from all the files that are indexed today. How can I get these results in a search?
Below are the list of files I indexed on Dec 20th.
-rw-r--r-- 1 gaiext ab 25457 Dec 20 00:06 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220000622.dat.gz
-rw-r--r-- 1 gaiext ab 12448 Dec 20 02:03 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220020355.dat.gz
-rw-r--r-- 1 gaiext ab 5432 Dec 20 04:04 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220040418.dat.gz
-rw-r--r-- 1 gaiext ab 3076 Dec 20 06:04 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220060408.dat.gz
-rw-r--r-- 1 gaiext ab 2155 Dec 20 08:04 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220080407.dat.gz
-rw-r--r-- 1 gaiext ab 3249 Dec 20 10:04 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220100421.dat.gz
-rw-r--r-- 1 gaiext ab 7943 Dec 20 12:06 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220120628.dat.gz
-rw-r--r-- 1 gaiext ab 17644 Dec 20 14:06 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220140652.dat.gz
-rw-r--r-- 1 gaiext ab 24234 Dec 20 16:06 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220160607.dat.gz
-rw-r--r-- 1 gaiext ab 23714 Dec 20 18:04 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220180453.dat.gz
-rw-r--r-- 1 gaiext ab 23330 Dec 20 20:05 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220200525.dat.gz
-rw-r--r-- 1 gaiext ab 23653 Dec 20 22:05 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220220519.dat.g
How do I search to get all the files on a daily basis. If I log in to the search head on the 21st, I need to get all the files that are indexed on the 21st.
index="myindex" | where _indextime=now()
I tried the above, but didn't work? Is there any better approach? please help
try the metadata command. You can filter with where like any other search. Just modify the time value in the relative_time section to get the time range you are after. Note that as it's a generating search it must come first in the search bar
|metadata type=sources index="myindex"|where recentTime > relative_time(now(), "-24h@h")
And of course if you want to use the filenames in a subsequent search
<main search> [|metadata type=sources index="myindex"|where recentTime > relative_time(now(), "-24h@h")|fields source] | etc
If you are instead asking for a generic range picker then just try
<your search> _index_earliest=-24h@h | etc
Now go and read these:
http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/SearchTimeModifiers
http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/Metadata
http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/Where
index="myindex" | eval time = _indextime | where time > 1450656000 |stats count by source
Hi,
index="myindex" | stats count by source
Hope help you
Hi jmallorquin ,
i dont want to list all the files , i jus need to list the files that are indexed today and i cannot use time timepicker because my event time is different in each of these files .
how do i use the search now ??
thanks.
index="myindex" | eval time = _indextime | where time > 1450656000 |stats count by source