https://community.splunk.com/t5/Splunk-Search/generate-daily-report-on-date-field-in-data/m-p/365887#M107910 <P>Try this!</P> <PRE><CODE>event_name="update.event" [search |noop|stats count as event_data.day |eval event_data.day=strftime(now(),"%Y-%m-%d")+" "+strftime(relative_time(now(),"+1d@d"),"%Y-%m-%d") |makemv event_data.day |mvexpand event_data.day] </CODE></PRE> Tue, 13 Feb 2018 12:38:27 GMT HiroshiSatoh 2018-02-13T12:38:27Z https://community.splunk.com/t5/Splunk-Search/generate-daily-report-on-date-field-in-data/m-p/365886#M107909 <P>Hi there, </P> <P>I have some data like this </P> <PRE><CODE>activity_id: 1131c134-d771-41e7-918d-d42772fc1316 date_time: 2018-02-13T08:21:40.682844+00:00 env: prod event_data: { [-] channel: 1124 day: 2018-02-18 eventId: 97356218 streamEndDateTime: 1518974100000 streamStartDateTime: 1518965640000 } event_name: update.event timestamp: 1518510100682 </CODE></PRE> <P>And I would like Splunk to generate a report each day at midnight based on the next 2 days from the 'event_data.day' value. For example if today is 2018-02-17, the report would check</P> <PRE><CODE>event_name="update.event" event_data.day="2018-02-17" OR event_data.day="2018-02-18" </CODE></PRE> <P>The next day the report would check for </P> <PRE><CODE>event_name="update.event" event_data.day="2018-02-18" OR event_data.day="2018-02-19" </CODE></PRE> <P>etc. </P> <P>Any help would be greatly appreciated.</P> Tue, 13 Feb 2018 09:01:15 GMT https://community.splunk.com/t5/Splunk-Search/generate-daily-report-on-date-field-in-data/m-p/365886#M107909 alexm2a 2018-02-13T09:01:15Z https://community.splunk.com/t5/Splunk-Search/generate-daily-report-on-date-field-in-data/m-p/365887#M107910 <P>Try this!</P> <PRE><CODE>event_name="update.event" [search |noop|stats count as event_data.day |eval event_data.day=strftime(now(),"%Y-%m-%d")+" "+strftime(relative_time(now(),"+1d@d"),"%Y-%m-%d") |makemv event_data.day |mvexpand event_data.day] </CODE></PRE> Tue, 13 Feb 2018 12:38:27 GMT https://community.splunk.com/t5/Splunk-Search/generate-daily-report-on-date-field-in-data/m-p/365887#M107910 HiroshiSatoh 2018-02-13T12:38:27Z https://community.splunk.com/t5/Splunk-Search/generate-daily-report-on-date-field-in-data/m-p/365888#M107911 <P>Brilliant! Thank you! </P> Tue, 13 Feb 2018 12:49:02 GMT https://community.splunk.com/t5/Splunk-Search/generate-daily-report-on-date-field-in-data/m-p/365888#M107911 alexm2a 2018-02-13T12:49:02Z https://community.splunk.com/t5/Splunk-Search/generate-daily-report-on-date-field-in-data/m-p/365889#M107912 <P>hey @hiroshiSatoh</P> <P>I was just wondering why you have used <CODE>|noop|stats count as event_data.day</CODE>?<BR /> If you do not use that then you will not get an answer? Just trying to understand your query.<BR /> Also <CODE>event_data.day=strftime(now(),"%Y-%m-%d")+" "+strftime(relative_time(now(),"+1d@d"),"%Y-%m-%d"</CODE> will give you today and tomorrow date right?</P> Tue, 13 Feb 2018 13:16:58 GMT https://community.splunk.com/t5/Splunk-Search/generate-daily-report-on-date-field-in-data/m-p/365889#M107912 mayurr98 2018-02-13T13:16:58Z