topic Re: search every day in last week at specific times in Splunk Search

search every day in last week at specific times

gnovak — Sat, 29 Jan 2011 00:57:00 GMT

hello again.

I have a search where I'd like to go back 1 week and then search the same time on each day during that week and return results.

So far I have been looking at all of the time range modifiers and still haven't come up with exactly what I am looking for.

My search is:

sourcetype="Cron_SendNotificationEmail" OR sourcetype="Cron_CheckRegistrarThreshold"  
(source="*asia*" OR source="*info*" OR source="*org*" OR source="*mobi*" OR source="*me*" OR source="*aero*" OR source="*cctld*") 
earliest=-1d@d latest=-1d@d+23h+55m 
| rex field=_raw "send_to_email ?\[(?P<send_to_email>\S+)\]"
| rex "(?P<inserting_a_record>Inserting a record.*)" 
| search inserting_a_record="*" OR send_to_email="*" 
| timechart count(inserting_a_record) as TotalEmailsToSend count(send_to_email) as TotalEmailsSent`

obviously i don't have the right time modifiers in the search right now, but i'm trying to figure it out. so far i think i could start with "startdaysago=7" but after that I'm not sure how to tell the search to search on every day after going back 7 days at the times I would like which is:

00:00 to 23:55

Help?

Re: search every day in last week at specific times

gnovak — Sat, 29 Jan 2011 00:58:08 GMT

also keep in mind this search makes a chart on the dashboard.

Re: search every day in last week at specific times

Paolo_Prigione — Mon, 31 Jan 2011 18:36:58 GMT

If I get you right you'd like to dismiss events being generated the last five minutes before midnight every day. Would something like this do?

.... earliest=-7d@d NOT (day_hour=23 AND day_minute>=55)

Re: search every day in last week at specific times

gnovak — Wed, 02 Feb 2011 04:34:11 GMT

well this probably would work, but now the problem appears to be that the query isn't giving me the results i would expect. It should pull out two fields, TotalEmailSent and TotalEmailsToSend and once charted both of these numbers should match. For some reason they aren't.

Re: search every day in last week at specific times

gnovak — Mon, 28 Sep 2020 09:23:58 GMT

I am still messing with this query, but I don't want it to include any results from the current day at all. I only want the last 7 days NOT including the present day.

sourcetype="Cron_CheckRegistrarThreshold" (source="asia" OR source="info" OR source="org" OR source="mobi" OR source="me" OR source="aero" OR source="cctld") earliest=-7d@d NOT (day_hour=23 AND day_minute>=55) | rex "(?PInserting a record.)" max_match=1000 | search inserting_a_record="" | timechart count(inserting_a_record) as TotalEmailsToSend

Re: search every day in last week at specific times

sideview — Wed, 02 Feb 2011 11:12:12 GMT

I think I have an idea of where you're trying to go. Do you think you could add a table of what you'd like the tabular output of the search to be? ie what are the rows and columns you want to end up with?

Re: search every day in last week at specific times

Paolo_Prigione — Mon, 28 Sep 2020 09:24:04 GMT

you got the timechart syntax wrong.... should be something like | timechart count(eval(inserting_a_record=*)) ....

Re: search every day in last week at specific times

Paolo_Prigione — Wed, 02 Feb 2011 19:56:05 GMT

earliest=-7d@d latest=@d NOT (day_hour=....