Alerting

How to create a scheduled alert to generate Year To Date reports?

kel6cob
New Member

Hi,

I have created a search to pull annual records using time range "Year to date" option. It displays the all the annual records perfectly. If I save this search as an alert and scheduled to run on certain days, it's not fetching "Year to date" records instead it gives records for last 1 month. So how do I create an alert to pull "Year to date" records ?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Ensure that in "Start time"/Earliest field (Settings-> Searches, reports and alerts -> Your scheduled search) is set to @y and "Finish time"/Latest is set to now.

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Ensure that in "Start time"/Earliest field (Settings-> Searches, reports and alerts -> Your scheduled search) is set to @y and "Finish time"/Latest is set to now.

0 Karma

kel6cob
New Member

Cool!! I didn't know @y will take the beginning of the year, exactly what I was looking for. Thanks @somesoni2.

0 Karma

kel6cob
New Member

I used to schedule the report on 1st day of month @00:00 to retrieve the annual reports from Jan 1 to last day of prev month. This approach works perfect for first 11 months whereas for Dec month (say Dec2016) it will not work because earliest=@y will take next year (2017) if it runs on 1st day of Jan2017.

How do I handle this? Can the earliest field be modified if month is Dec using any eval conditions?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If you're scheduling it to run on 1st of every month, try this

Start time/Earliest:             -2d@y
FInish time/Latest:              @mon
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...