Regex for changing date

aniketb · ‎03-03-2016

Hi,

I want to check daily if my file generated successfully. The filename is prefixed by date so e.g.

3 march i'll have a filename like: 20160302-myfile
2 march - 20160301-myfile

I retain the files in folder for 3 months so just using *-myfile doesn't work for me.

Can splunk regex autoincrement the date everyday?

somesoni2 · ‎03-03-2016

Try something like this

sourcetype=xyz "/my folder/ mysubfolder" [| gentimes start=-1 | eval search=strftime(now(),"%Y%m%d') | table search ]

The subsearch will generate a value in the format %Y%m%d (2010303 for today) and return the text value of it to main search.

somesoni2 · ‎03-03-2016

So, the data is ingested already and you want to alert OR check if you received file for today (or Yesterday) using Splunk search?

aniketb · ‎03-03-2016

Yes my log does show it. e.g.

today's log will show

/my folder/ mysubfolder 20160302-myfile.zip 20160301-myfile.zip .....

I need the search string to search on:

sourcetype=xyz "/my folder/ mysubfolder" 20160301 (this variable should change automatically everyday)

Are you a member of the Splunk Community?