Re: Read data between in log file based on date

axs21 · ‎03-08-2018

Hi,

I have a log file and want to read everyday data only.
File Format is like

sometextsometext
Friday, March 9, 2018 03:08:15 PM SGT
Somedata
Somedata
Friday, March 10, 2018 03:08:15 PM SGT
SomeDataSomeData
Saturday, March 11, 2018 03:08:15 PM SGT

I want to read data from previous day to current day. Is is possible ? Please suggest.
E.g. in above file,
I want to read data between March 9 to March 10
Next Day, I want to read from March 10 to March 11
and so on

Is it possible to achieve? Please suggest.
Thanks,
AXS

valiquet · ‎03-10-2018

Relative time windows is the solution. But it does not make much sense, how can you read logs from today if the day is not finish?

| search earliest=-@1d latest=+@1d

You should instead

| search earliest=-1d

axs21 · ‎03-12-2018

Splunk reads whole file everyday and it can lead to increase in DB size.
I want Splunk to only data between current and next day date from log file.

No like first Splunk whole file and do indexing and then it give me one day data.

somesoni2 · ‎03-09-2018

How often the file is updated, real-time or once a day??

axs21 · ‎03-12-2018

The file is updated on realtime.
Another thing is splunk reads whole file but I want Splunk to read data only from current date and to next date from log file.

elliotproebstel · ‎03-09-2018

Is the data from this file indexed into Splunk? What dictates an event break - each new line? Or is this data in a lookup file?

axs21 · ‎03-14-2018

Each new line dictates an event break

Read data between in log file based on date

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation