https://community.splunk.com/t5/Dashboards-Visualizations/How-to-run-Splunk-search-from-every-2nd-Tuesday-of-every-month/m-p/452514#M29681 <P>Hey Woodcock, glad to see the response from you man. We've met at July Dallas Splunk user group meetup. Anyway your answer works great for my search and I can see the results between that time range. but also could you please tell me what is this <EM>| format "" "" "" "" "" ""</EM> Command doing here.</P> <P>Thank you!</P> Fri, 16 Aug 2019 19:06:49 GMT vinaykataaig 2019-08-16T19:06:49Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-run-Splunk-search-from-every-2nd-Tuesday-of-every-month/m-p/452512#M29679 <P>Guys, does any one know or have an example on how to pull the Splunk results from every 2nd Tuesday of month to 2nd Tuesday of the following month. Is it possible to write with earliest and latest, if not what are the other options we have. Below is my base query. Thank you all!!</P> <P>index="abc " sourcetype="ABCD" install_status!=Retired os="<EM>windows</EM>" patching_group IN ("AAA*" "<EM>BBB</EM>") <BR /> | search number="*"<BR /> | eval servers=lower(name) <BR /> | eval start=strptime(start_date, "%Y-%m-%d %H:%M:%S.%N") <BR /> | eval day = strftime(start, "%a") <BR /> | eval month = strftime(start, "%B") | dedup servers | stats count(servers) as servers</P> Wed, 30 Sep 2020 01:47:21 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-run-Splunk-search-from-every-2nd-Tuesday-of-every-month/m-p/452512#M29679 vinaykataaig 2020-09-30T01:47:21Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-run-Splunk-search-from-every-2nd-Tuesday-of-every-month/m-p/452513#M29680 <P>Like this:</P> <PRE><CODE>index="abc " sourcetype="ABCD" install_status!=Retired os="windows" patching_group IN ("AAA*" "BBB") [| makeresults | eval earliest = relative_time(now(), "@mon-1mon@w2+14d") | eval latest = relative_time(now(), "@mon@w2+14d") | format "" "" "" "" "" "" | rex field=search mode=sed "s/\"//g"] | search number="*" | eval servers=lower(name) | stats dc(servers) AS servers </CODE></PRE> Fri, 16 Aug 2019 18:27:55 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-run-Splunk-search-from-every-2nd-Tuesday-of-every-month/m-p/452513#M29680 woodcock 2019-08-16T18:27:55Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-run-Splunk-search-from-every-2nd-Tuesday-of-every-month/m-p/452514#M29681 <P>Hey Woodcock, glad to see the response from you man. We've met at July Dallas Splunk user group meetup. Anyway your answer works great for my search and I can see the results between that time range. but also could you please tell me what is this <EM>| format "" "" "" "" "" ""</EM> Command doing here.</P> <P>Thank you!</P> Fri, 16 Aug 2019 19:06:49 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-run-Splunk-search-from-every-2nd-Tuesday-of-every-month/m-p/452514#M29681 vinaykataaig 2019-08-16T19:06:49Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-run-Splunk-search-from-every-2nd-Tuesday-of-every-month/m-p/452515#M29682 <P>The <CODE>format</CODE> command reveals (and allows you to control the boolean logic and punctuation of) what the <CODE>subsearch</CODE> will return to the outer search. Usually a <CODE>subsearch</CODE> is returning boolean logic but in this case, it is not so we are stripping the boolean logic and punctuation and after that, the double-quotes.</P> Fri, 16 Aug 2019 19:44:00 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-run-Splunk-search-from-every-2nd-Tuesday-of-every-month/m-p/452515#M29682 woodcock 2019-08-16T19:44:00Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-run-Splunk-search-from-every-2nd-Tuesday-of-every-month/m-p/585358#M47976 <P>This solution is incorrect or outdated for recent versions of Splunk, as earliest and latest values are not calculating 2nd Tuesday of specified months correctly.</P> Wed, 16 Feb 2022 14:15:33 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-run-Splunk-search-from-every-2nd-Tuesday-of-every-month/m-p/585358#M47976 joao_amorim 2022-02-16T14:15:33Z