Splunk Search

I need to return only results where the "source" contains the current date.

griffinpair
Explorer

Example:

source="D:\filepath\filepath\filepath\filepath\DebugImportHelper_7_25_2017.log"

This log file is created everyday with the current date. I want a search where is runs real time and only returns data from source that contains the current date. My current search looks like this (asterisks do not show, so $ represents where asterisks would be):

source=$"D:\filename\filename$ source=$filename\filename$ source=$clientID$ Start
| eval today=strftime(now(), "%m_%d_%Y") | where source=$today$
| eval time=strftime(round(strptime(full_Time, "%I:%M:%S %P")), "%H:%M:%S")
| eval late=if(time>"15:00:00", 1, 0)

| table Action, full_Date, full_Time, time, late, source

The "eval today=strftime(now(), "%m/%d/%Y") | where source=$today$" part returns the right date format, but the "where" does not work.

0 Karma
1 Solution

somesoni2
Revered Legend

The where clause doesn't support wildcards directly. You've to use either the like or match function with it. Where command requires % as wildcard character.

...| where like(source,"%".today."%") | ....

OR, match, which does 'contains' type of matching so you don't need a wildcard there.

...| where like(source,today) | ....

View solution in original post

somesoni2
Revered Legend

The where clause doesn't support wildcards directly. You've to use either the like or match function with it. Where command requires % as wildcard character.

...| where like(source,"%".today."%") | ....

OR, match, which does 'contains' type of matching so you don't need a wildcard there.

...| where like(source,today) | ....

View solution in original post

griffinpair
Explorer

This was exactly what I was looking for. Thanks!

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!