Solved: How to create a scheduled alert to generate Year T...

kel6cob · ‎02-17-2016

Hi,

I have created a search to pull annual records using time range "Year to date" option. It displays the all the annual records perfectly. If I save this search as an alert and scheduled to run on certain days, it's not fetching "Year to date" records instead it gives records for last 1 month. So how do I create an alert to pull "Year to date" records ?

somesoni2 · ‎02-17-2016

Ensure that in "Start time"/Earliest field (Settings-> Searches, reports and alerts -> Your scheduled search) is set to @y and "Finish time"/Latest is set to now.

View solution in original post

somesoni2 · ‎02-17-2016

Ensure that in "Start time"/Earliest field (Settings-> Searches, reports and alerts -> Your scheduled search) is set to @y and "Finish time"/Latest is set to now.

kel6cob · ‎02-17-2016

Cool!! I didn't know @y will take the beginning of the year, exactly what I was looking for. Thanks @somesoni2.

kel6cob · ‎02-17-2016

I used to schedule the report on 1st day of month @00:00 to retrieve the annual reports from Jan 1 to last day of prev month. This approach works perfect for first 11 months whereas for Dec month (say Dec2016) it will not work because earliest=@y will take next year (2017) if it runs on 1st day of Jan2017.

How do I handle this? Can the earliest field be modified if month is Dec using any eval conditions?

somesoni2 · ‎02-18-2016

If you're scheduling it to run on 1st of every month, try this

Start time/Earliest:             -2d@y
FInish time/Latest:              @mon

How to create a scheduled alert to generate Year To Date reports?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?