Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Read data between in log file based on date
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Read data between in log file based on date
Hi,
I have a log file and want to read everyday data only.
File Format is like
sometextsometext
Friday, March 9, 2018 03:08:15 PM SGT
Somedata
Somedata
Friday, March 10, 2018 03:08:15 PM SGT
SomeDataSomeData
Saturday, March 11, 2018 03:08:15 PM SGT
I want to read data from previous day to current day. Is is possible ? Please suggest.
E.g. in above file,
I want to read data between March 9 to March 10
Next Day, I want to read from March 10 to March 11
and so on
Is it possible to achieve? Please suggest.
Thanks,
AXS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Relative time windows is the solution. But it does not make much sense, how can you read logs from today if the day is not finish?
| search earliest=-@1d latest=+@1d
You should instead
| search earliest=-1d
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk reads whole file everyday and it can lead to increase in DB size.
I want Splunk to only data between current and next day date from log file.
No like first Splunk whole file and do indexing and then it give me one day data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How often the file is updated, real-time or once a day??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The file is updated on realtime.
Another thing is splunk reads whole file but I want Splunk to read data only from current date and to next date from log file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the data from this file indexed into Splunk? What dictates an event break - each new line? Or is this data in a lookup file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Each new line dictates an event break
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
