Splunk Search

How to write a search to get a list of all the source files that were indexed today?


Hi Team,

I have a forwarder installed and configured to forward logs that it is receiving daily. The timestamp in these logs are different and it is configured as timestamp. Now my requirement is to get the data from all the files that are indexed today. How can I get these results in a search?

Below are the list of files I indexed on Dec 20th.

-rw-r--r--   1 gaiext     ab           25457 Dec 20 00:06 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220000622.dat.gz
-rw-r--r--   1 gaiext     ab           12448 Dec 20 02:03 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220020355.dat.gz
-rw-r--r--   1 gaiext     ab            5432 Dec 20 04:04 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220040418.dat.gz
-rw-r--r--   1 gaiext     ab            3076 Dec 20 06:04 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220060408.dat.gz
-rw-r--r--   1 gaiext     ab            2155 Dec 20 08:04 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220080407.dat.gz
-rw-r--r--   1 gaiext     ab            3249 Dec 20 10:04 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220100421.dat.gz
-rw-r--r--   1 gaiext     ab            7943 Dec 20 12:06 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220120628.dat.gz
-rw-r--r--   1 gaiext     ab           17644 Dec 20 14:06 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220140652.dat.gz
-rw-r--r--   1 gaiext     ab           24234 Dec 20 16:06 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220160607.dat.gz
-rw-r--r--   1 gaiext     ab           23714 Dec 20 18:04 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220180453.dat.gz
-rw-r--r--   1 gaiext     ab           23330 Dec 20 20:05 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220200525.dat.gz
-rw-r--r--   1 gaiext     ab           23653 Dec 20 22:05 BPP_WL3-XXXX_PUR-PUMAIN_v4_DNH_1_1_20151220220519.dat.g

How do I search to get all the files on a daily basis. If I log in to the search head on the 21st, I need to get all the files that are indexed on the 21st.

index="myindex" | where _indextime=now() 

I tried the above, but didn't work? Is there any better approach? please help

Tags (3)
0 Karma


try the metadata command. You can filter with where like any other search. Just modify the time value in the relative_time section to get the time range you are after. Note that as it's a generating search it must come first in the search bar

|metadata type=sources index="myindex"|where recentTime > relative_time(now(), "-24h@h")

And of course if you want to use the filenames in a subsequent search

<main search>  [|metadata type=sources index="myindex"|where recentTime > relative_time(now(), "-24h@h")|fields source] | etc

If you are instead asking for a generic range picker then just try

<your search> _index_earliest=-24h@h | etc

Now go and read these:

0 Karma

 index="myindex" | eval time = _indextime | where time > 1450656000 |stats count by source
0 Karma


index="myindex" | stats count by source

Hope help you

0 Karma


Hi jmallorquin ,

i dont want to list all the files , i jus need to list the files that are indexed today and i cannot use time timepicker because my event time is different in each of these files .

how do i use the search now ??


0 Karma

index="myindex" | eval time = _indextime | where time > 1450656000 |stats count by source
0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...