Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate the cumulative count of events using relative timeframes?

arthurabreu
Explorer
‎12-01-2017 01:54 PM

Hi,

I need to create a search that calculates the cumulative count of a specific event during the weekend.

I have the following query, that will give me the count of distinct hosts that have EventID 6009. These events can happen anytime during the weekend.

index=win_logs sourcetype=System EventID=6009 | stats dc(host) AS TotalHostCount

I've created an alert that will run this search every 2 hours during the weekends (Saturdays AND Sundays) and send an email with the current count, so we can monitor the progress. I did the schedule using cron.

But I am struggling with the right time modifiers to use with the cron schedule... I want to lock my timeframe to look at events between Saturdays 12:00:00AM and Mondays 12:00:00AM

I tried to use earliest=@w6 and it will lock my search to start on Saturdays but when the alert is triggered again on Sunday, it will be considered a new week (w0) and therefore w6 will be a date in the future messing the whole thing up...

Any ideas ?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎12-01-2017 02:11 PM

Okay, try something like this...

earliest=-1d@w5+1d

or 

earliest=-1d@w+6d

Try 

earliest=-1d@w6

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎12-01-2017 02:11 PM

Okay, try something like this...

earliest=-1d@w5+1d

or 

earliest=-1d@w+6d

Try 

earliest=-1d@w6
Reply
Solved! Jump to solution

arthurabreu
Explorer
‎12-02-2017 12:52 PM

Hi DalJeanis.

Thanks for your suggestion but as I mentioned on my original question, I have to lock in a specific timeframe (Saturdays 12:00:00AM and Mondays 12:00:00AM) and still be able to execute the query every 2 hours during the weekend.
earliest=-1d@w6 will work fine for Sunday, but if I run the query it on Saturday it will give me results from Friday, which is outside the desired timeframe.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎12-03-2017 08:44 PM

@arthurabreu - updated the answer, try the new code.

0 Karma
Reply
Solved! Jump to solution

arthurabreu
Explorer
‎12-04-2017 06:44 AM

thank you, that did the trick! 🙂

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...