Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to mention particular time range in splunk search

Dayalss
Engager
‎07-06-2023 03:20 AM

Hi,

How can I configure a search query to run everyday between 5am to 11 :30 am IST in splunk search query.

I don't want to save it as a report but Im using this search in a dashboard and it has to run at a particular time daily.

Please help.

Thanks in advance.

 

Labels (1)
Labels
0 Karma
Reply

Dayalss
Engager
‎07-06-2023 03:29 AM

Hi @gcusello ,

I want to use that search in dashboard and not in report.

 

0 Karma
Reply

Dayalss
Engager
‎07-06-2023 03:37 AM

It is time range for search used in a dashboard

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2023 03:41 AM

Hi @Dayalss ,

ok you have to add to your main search:

<your_search> time_hour>4 (time_hour<11 OR (time_hour<12 time_minutes<31))

Ciao.

Giuseppe

0 Karma
Reply

Dayalss
Engager
‎07-06-2023 04:04 AM

Its not loading any data , can you please help

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2023 06:20 AM

Hi @Dayalss,

you have to extract the two new files before the search of make a more structured search:

index=abcd 
| eval time_hour=strftime(_time,"%H")
| eval time_minutes=strftime(_time,"%M")
| search time_hour>4 (time_hour<11 OR (time_hour<12 time_minutes<31))
| lookup locations.csv source OUTPUT Region SOD
| search Region = APAC
| eval Status=case(Statistic=0,"Green",Statistic=2,"Red",Statistic=1,"Blue",
1==1, " " )
| appendpipe [ stats count | eval Status="Black" | where count=0 | fields - count]
| stats latest(Status)

Ciao.

Giuseppe

0 Karma
Reply

Dayalss
Engager
‎07-06-2023 06:35 AM

Thanks for the query , its loading the data , but after the mentioned time there will be no new data then it has to show status as black but its picking green.

 

Can you please help to fix this.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2023 06:37 AM

Hi @Dayalss,

uyou have to review the color status in your panel, it isn't a search problem.

Ciao.

Giuseppe

0 Karma
Reply

Dayalss
Engager
‎07-06-2023 03:51 AM

If possible can you please explain the logic or any documentation?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2023 05:26 AM

Hi @Dayalss ,

you have to insert in the main search a filter to take only events in the defined time period.

To do this you can use two predefined fields called "time_hour" and "time_minutes", if you haven't it, you have to define as calculated fields using the following rule:

| eval time_hour=strftime(_time,"%H")
| eval time_minutes=strftime(_time,"%M")

Ciao.

Giuseppe

 

0 Karma
Reply

Dayalss
Engager
‎07-06-2023 06:14 AM

I'm unable to load the data.

index=abcd time_hour>4 (time_hour<11 OR (time_hour<12 time_minutes<31))
| eval time_hour=strftime(_time,"%H")
| eval time_minutes=strftime(_time,"%M")
|lookup locations.csv source OUTPUT Region SOD
| search Region = APAC
| eval Status=case(Statistic=0,"Green" ,
Statistic=2,"Red",
Statistic=1,"Blue",
1==1, " " )
| appendpipe [ stats count | eval Status="Black" | where count=0 | fields - count]
| stats latest(Status)

This is the query I'm using please check

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2023 03:33 AM

Hi @Dayalss ,

ok, but that is the time range of the search or the schedule of a shared report.

I understood that you have a dashboard, not a report, but it's possible to schedule a report that autonomally runs and results are immediately available for the dashboards; it's a way to accelerate some heavy dashboards.

It isn't possible to schedule a search in a dashboard.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2023 03:27 AM

Hi @Dayalss ,

let me understand: do you want to run a search with that time range or do you want to schedule a shared report (to use in a dashboard).

If a shared report, Ok for the time range, but what's the frequency (e.g every 5 minutes)?

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...