Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I want to create an alert from last 7 days

Rocky31
Path Finder
‎04-19-2018 10:59 AM

I want to create an alert from last 7 days of data just for a time range of 10 AM to 11 AM i only need this data at the same time from last 7 days(week). how to write a query to this info any help here.

Tags (1)
Reply

woodcock
Esteemed Legend
‎04-22-2018 12:40 PM

This is a perfect use case for multisearch:

| multisearch
[Your Common Search Here [|makeresults | eval earliest=relative_time(now(), "@d+10h") | eval latest=earliest + (60*60) | eval search="earliest=" . earliest . " latest=" . latest] | eval which="Today"]
[Your Common Search Here [|makeresults | eval earliest=relative_time(now(), "-7d@d+10h") | eval latest=earliest + (60*60) | eval search="earliest=" . earliest . " latest=" . latest] | eval which=LastWeek"]
| stats Your Stuff Here BY which
| your conditional logic stuff here
0 Karma
Reply

DalJeanis
Legend
‎04-20-2018 12:02 PM

If you have a fixed hour you want, then it's easy enough...

  index=foo ...other base search terms...   date_hour=10

That will get you only events that happened in the 10:00-11:00 hour. Depending on what YOU mean by time, you may need to add or subtract an offset from UTC.

For instance, here in Texas, in US Central Daylight Savings Time, we are at UTC -5. Since event _time is set by UTC time, 10:00 AM local is 3:00 PM UTC, so we'd use date_hour=15.

0 Karma
Reply

nplamondon
Communicator
‎04-19-2018 01:28 PM

You may also want to check out timewrap if you want to see the results overlaid on the same chart.

0 Karma
Reply

somesoni2
Revered Legend
‎04-19-2018 11:25 AM

Give this a try

index=foo sourcetype=bar..other base search terms... [| gentimes start=-7 | eval earliest=relative_time(starttime,"@+10h") | eval latest=relative_time(starttime,"@+11h") | table earliest latest | format ]
| rest of the search
0 Karma
Reply

mghocke
Path Finder
‎04-19-2018 11:06 AM

You can calculate the hour of an event with eval/strftime and use search or where to look only at those:

<your search> | eval Hour=strftime(_time,"%H") | where Hour="10" | <process the results>
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...