All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to specify a day in the alert?

theouhuios
Motivator
‎06-21-2013 07:40 AM

Hello

I have a search which creates thresholds and outputs it into a lookup. As of now its looking at 4hr spans, but I want it to look at data at some precise intervals. Like earliest starts at 12:00 AM and the latest ends at 11:59:59 PM. I can then use buckets of 4h span. How do I specify the exact time in earliest and latest? I do know that I can create a search for earliest at -4h@h and latest at @h and run it every 4 hours and schedule it at 12:00 , but that doesn't seem to give exact results.

I thought of doing it in seconds, but I am wondering on how do I do it.

Please let me know .

Thanks

Tags (2)
0 Karma
Reply

aholzer
Motivator
‎06-21-2013 08:52 AM

Use the "snap to" function for your earliest and latest and then just add hours, minutes and seconds equivalent to where you want it to reach.

earliest=-4h@d <= this will snap to 00:00:00 of the given day the -4h calculates to. Examples: you run the search at 5pm, it will snap to 00:00:00 of today. If you run the search at 2am, it will snap to 00:00:00 of yesterday.

latest=-1m@d+23h+59m+59s <= this will snap to 00:00:00 of the given day the -1m calculates to, and then will add 23 hours, 59 minutes, and 59 seconds

Hope this helps

Reply

aholzer
Motivator
‎07-09-2013 06:51 AM

Apparently @d+24h-1s is valid as well. Rather than having to specify @d+23h+59m+59s

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎06-21-2013 07:56 AM

you could use the weekday modifiers like @w0 (Sunday). This would give you the last full business week earliest=-7d@w1 latest=@w6 and then you could bucket it by 4 hour time windows.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...