Splunk Search

Sum of total files with same date

373782073
Explorer

Hi,

I've got a search that provides a table of 60 filenames.
30 filenames with a -3 days from today's date and 30 filenames with a -2 days from today's date.
Everytime the search will run it is expected to result in 60 events with 60 filenames found containing 2 separate dates within their names.

Search output:

Filename
filename1-2020-01-21
filename2-2020-01-21
...
filename30-2020-01-21
filename1-2020-01-22
filename2-2020-01-22
filename3-2020-01-22
...
filename30-2020-01-22

How can I modify my table so that a second column with the total number of files is also created with the first field having the total =30 for all files from -3days and 30 files with -2days?

Also is there a way a way to setup a third column that will say INVALID if the filename doesnt contain either -3days date or -2days date? Example NOT 2020-01-22 or 2020-01-21?

Expected Search output:

Filename Total Valid
filename1-2020-01-21 30 VALID
filename2-2020-01-21 "
... "
filename30-2020-01-21 "

filename1-2020-01-18 1 INVALID

filename1-2020-01-22 VALID
filename2-2020-01-22 "
filename3-2020-01-22 "
... "
filename30-2020-01-22 "

Thanks

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@373782073 ,

Try

"your current search"
|rex field=filename ".*(?<date>\d{4}-\d{2}-\d{2})"
|eventstats count as Total by date
|eval day3=strftime(relative_time(now(),"-3d"),"%Y-%m-%d")
|eval day2=strftime(relative_time(now(),"-2d"),"%Y-%m-%d")
|eval Status=if(date==day3 OR date==date2,"VALID","INVALID")
|streamstats count by date|eval Total=if(count==1,Total,null())
|fields filename,Total,Status
Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@373782073 ,

Try

"your current search"
|rex field=filename ".*(?<date>\d{4}-\d{2}-\d{2})"
|eventstats count as Total by date
|eval day3=strftime(relative_time(now(),"-3d"),"%Y-%m-%d")
|eval day2=strftime(relative_time(now(),"-2d"),"%Y-%m-%d")
|eval Status=if(date==day3 OR date==date2,"VALID","INVALID")
|streamstats count by date|eval Total=if(count==1,Total,null())
|fields filename,Total,Status
Happy Splunking!
0 Karma

373782073
Explorer

That worked great.
Thanks a lot

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...