Splunk Search

Is it possible to run an eval search using a wildcard to pull the date stamp from the source file name?

indianhans
Engager

Hi All,

I am new to splunk. Just using this wonderful application for my day to day activity. Below is the search which I use daily to pull the table, with the little change in source information.

The file name (source) has a big name with current date in YYYYMMDD format.
Example : E:/Program Files/Quintiq/Quintiq 4.4.0/Log/QTCE_64_1516_20150626_0223_0.xml

alt text

Is it possible to derive the source information from
eval nowstring=strftime(now(), "%Y%m%d") with wildcard character *.

I wish to write a search in such a way that there should not be a requirement of changing the "Source" tag everyday.

Tags (4)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

The easiest - and most splunky - approach would be to make sure your log's timestamps are extracted correctly and then use the time range picker to the right of the search bar to filter for Today or whatever time range you need. What file name the events came from becomes less relevant and less of a problem to maintain in your search.

That'd solve your requirement, but not your suggested solution - that can be achieved, but I'd recommend first trying the splunky way. If you need help with timestamp extraction you can post some sample events from that log file along with any sourcetype settings you may already have set.

View solution in original post

woodcock
Esteemed Legend

I agree with @martin_mueller in that you are putting your search string "cart" ahead of your config settings "horse". The way to do what you are asking is to make sure that your evens get properly timestamped. The easiest and quickest way to get "pretty close" is to use DATETIME_CONFIG = CURRENT but a better solution is to use DATETIME_CONFIG = datetime.xml to set each event's timestamp from the source. The best would be to set each event's timestamp from some time in the event's data but you have not shared any sample events so we don't know about feasability of this.

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Tunetimestampextractionforbetterindexingperfo...

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The easiest - and most splunky - approach would be to make sure your log's timestamps are extracted correctly and then use the time range picker to the right of the search bar to filter for Today or whatever time range you need. What file name the events came from becomes less relevant and less of a problem to maintain in your search.

That'd solve your requirement, but not your suggested solution - that can be achieved, but I'd recommend first trying the splunky way. If you need help with timestamp extraction you can post some sample events from that log file along with any sourcetype settings you may already have set.

martin_mueller
SplunkTrust
SplunkTrust

You could post sample events to try and figure out timestamp extraction - assuming the log even has timestamps.

Alternatively, use this to calculate today's date dynamically within the search:

index=wdm_main [stats count as source | eval source = "*" . strftime(now(), "%Y%m%d") . "*"] sourcetype=...

That subsearch will evaluate to source="*YYYYMMDD*".

0 Karma

indianhans
Engager

Thanks a loads. your solution solved my problem.

Cheers
Rishi

0 Karma

indianhans
Engager

Thanks for your response but application logs are not splunk friendly and a bit weird. When i select "Today" it shows my "No results found"

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...