Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search on an eval variable - find filenames with yesterday's date

raziasaduddin
Path Finder
‎06-28-2013 08:20 AM

I used eval to create a field with the yesterday's date:

| eval today=strftime(now(),"%Y%m%d")

I want to search on events where the filename field contains that today variable / yesterday's date. The last 8 characters of a filename will contain the file date (ex: file20130628.csv).

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-28-2013 09:47 AM

You're probably better off defining an eval-based macro that computes the date string you're looking for, and including that in the initial search. That way you do not need to load all events, eval your field, and then have Splunk notice it would not have needed to load that particular event. Consider an eval-based macro called yesterday that looks like this:

strftime(relative_time(time(), "-d"), "%Y%m%d")

That allows you to write searches like this:

index=foo source=*`yesterday`* | further processing

That search will internally get expanded to this:

search index=foo source=*20130627* | further processing

The number of events Splunk needs to scan - and hence your search performance - should improve massively.

View solution in original post

Reply
Solved! Jump to solution

splunkreal
Motivator
‎01-18-2018 11:51 AM

Hello,

any solution without using a macro? Why does it filter with | search or | where filters?

I want to filter sources having yesterday date in their filenames.

Thanks.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Solved! Jump to solution

raziasaduddin
Path Finder
‎06-28-2013 01:01 PM

it worked with WHERE:

| eval yesterday=strftime(relative_time(time(), "-d"), "%Y%m%d")
| where filedate=yesterday

0 Karma
Reply
Solved! Jump to solution

raziasaduddin
Path Finder
‎06-28-2013 12:53 PM

This did not work. The today variable did not get expanded.

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-28-2013 09:47 AM

You're probably better off defining an eval-based macro that computes the date string you're looking for, and including that in the initial search. That way you do not need to load all events, eval your field, and then have Splunk notice it would not have needed to load that particular event. Consider an eval-based macro called yesterday that looks like this:

strftime(relative_time(time(), "-d"), "%Y%m%d")

That allows you to write searches like this:

index=foo source=*`yesterday`* | further processing

That search will internally get expanded to this:

search index=foo source=*20130627* | further processing

The number of events Splunk needs to scan - and hence your search performance - should improve massively.

Reply
Solved! Jump to solution

raziasaduddin
Path Finder
‎07-01-2013 10:49 AM

The macro worked well!

0 Karma
Reply
Solved! Jump to solution

raziasaduddin
Path Finder
‎06-28-2013 01:02 PM

I got it to work so far:

| eval yesterday=strftime(relative_time(time(), "-d"), "%Y%m%d")

| where filedate=yesterday

I will create a macro soon.

To be clear, you are saying that the eval does this yesterday calculation for every event, whereas, the macro, will expand once per search?

0 Karma
Reply
Solved! Jump to solution

starcher
Influencer
‎06-28-2013 09:00 AM

I imagine the filename is equal to the source name for the event. So I would match against the source field.

Reply
Solved! Jump to solution

raziasaduddin
Path Finder
‎06-28-2013 10:48 AM

Actually, in this case, it is not. It is in the event data and I rex it out.

index=_internal WatchedFile z:\logs ("Reached EOF" OR "off=0")
| rex "(?z:.+?)\s"

0 Karma
Reply
Solved! Jump to solution

aholzer
Motivator
‎06-28-2013 08:35 AM

You may want to look into the like or islike functions.

This should do the trick:

| where like(filename, "%"+today+"%")

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...