Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to mention particular time range in splunk search

Dayalss
Engager
‎07-06-2023 03:20 AM

Hi,

How can I configure a search query to run everyday between 5am to 11 :30 am IST in splunk search query.

I don't want to save it as a report but Im using this search in a dashboard and it has to run at a particular time daily.

Please help.

Thanks in advance.

 

Labels (1)
Labels
0 Karma
Reply

Dayalss
Engager
‎07-06-2023 03:29 AM

Hi @gcusello ,

I want to use that search in dashboard and not in report.

 

0 Karma
Reply

Dayalss
Engager
‎07-06-2023 03:37 AM

It is time range for search used in a dashboard

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2023 03:41 AM

Hi @Dayalss ,

ok you have to add to your main search:

<your_search> time_hour>4 (time_hour<11 OR (time_hour<12 time_minutes<31))

Ciao.

Giuseppe

0 Karma
Reply

Dayalss
Engager
‎07-06-2023 04:04 AM

Its not loading any data , can you please help

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2023 06:20 AM

Hi @Dayalss,

you have to extract the two new files before the search of make a more structured search:

index=abcd 
| eval time_hour=strftime(_time,"%H")
| eval time_minutes=strftime(_time,"%M")
| search time_hour>4 (time_hour<11 OR (time_hour<12 time_minutes<31))
| lookup locations.csv source OUTPUT Region SOD
| search Region = APAC
| eval Status=case(Statistic=0,"Green",Statistic=2,"Red",Statistic=1,"Blue",
1==1, " " )
| appendpipe [ stats count | eval Status="Black" | where count=0 | fields - count]
| stats latest(Status)

Ciao.

Giuseppe

0 Karma
Reply

Dayalss
Engager
‎07-06-2023 06:35 AM

Thanks for the query , its loading the data , but after the mentioned time there will be no new data then it has to show status as black but its picking green.

 

Can you please help to fix this.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2023 06:37 AM

Hi @Dayalss,

uyou have to review the color status in your panel, it isn't a search problem.

Ciao.

Giuseppe

0 Karma
Reply

Dayalss
Engager
‎07-06-2023 03:51 AM

If possible can you please explain the logic or any documentation?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2023 05:26 AM

Hi @Dayalss ,

you have to insert in the main search a filter to take only events in the defined time period.

To do this you can use two predefined fields called "time_hour" and "time_minutes", if you haven't it, you have to define as calculated fields using the following rule:

| eval time_hour=strftime(_time,"%H")
| eval time_minutes=strftime(_time,"%M")

Ciao.

Giuseppe

 

0 Karma
Reply

Dayalss
Engager
‎07-06-2023 06:14 AM

I'm unable to load the data.

index=abcd time_hour>4 (time_hour<11 OR (time_hour<12 time_minutes<31))
| eval time_hour=strftime(_time,"%H")
| eval time_minutes=strftime(_time,"%M")
|lookup locations.csv source OUTPUT Region SOD
| search Region = APAC
| eval Status=case(Statistic=0,"Green" ,
Statistic=2,"Red",
Statistic=1,"Blue",
1==1, " " )
| appendpipe [ stats count | eval Status="Black" | where count=0 | fields - count]
| stats latest(Status)

This is the query I'm using please check

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2023 03:33 AM

Hi @Dayalss ,

ok, but that is the time range of the search or the schedule of a shared report.

I understood that you have a dashboard, not a report, but it's possible to schedule a report that autonomally runs and results are immediately available for the dashboards; it's a way to accelerate some heavy dashboards.

It isn't possible to schedule a search in a dashboard.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2023 03:27 AM

Hi @Dayalss ,

let me understand: do you want to run a search with that time range or do you want to schedule a shared report (to use in a dashboard).

If a shared report, Ok for the time range, but what's the frequency (e.g every 5 minutes)?

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...