Dashboards & Visualizations

Set time frame of Splunk Dashboard report

Shashank_87
Explorer

Hi, I am working on a dashboard report which i need to schedule bi-weekly i.e. Monday and Thursday morning. I have the Cron expression ready (30 08 * * 1,4) but how do i change the time dynamically?
For example When report runs on Monday morning, it should fetch the data of Thursday, Friday, Saturday and Sunday. And when it runs on Thursday it should fetch the data from Monday, Tuesday and Wednesday.
Now if i set the time as "Last 4 days", Monday report works fine but Thursday report fetches the data of Sunday as well which is not required.
Can someone help? Any suggestion or hint is appreciated.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi Shashank_87,
I had the same problem and I solved creating two reports with the same search and different timeframe, one scheduled for Monday and the other for Thursday.

Ciao.
Giuseppe

View solution in original post

0 Karma

wmyersas
Builder

Tweak the days for your case (I did with Tue & Fri, because I tested it today (Tuesday)):

index=ndx sourcetype=srctp
| eval dow=strftime(_time,"%a")
| eval today=strftime(now(),"%a")
| eval keept=if(today="Tue","Fri,Sat,Sun,Mon","No")
| makemv delim="," keept
| eval keepf=if(today="Fri","Tue,Wed,Thu","No")
| makemv delim="," keepf
| eval keep=if((mvfind(keept,'dow')>=0 OR mvfind(keepf,'dow')>=0),"yes","no")
| search keep="yes"
| stats count by dow today

This adds 5 fields to each event ( dow, today, keept, keepf, keep ), and keeps events only if the event's day of the week ( dow ) is found in one of the multivalue keep[f|t] fields.

Fwiw, this will also "work" every day of the week - but it will only return results when you run it on either Tuesday or Friday (see the today field).

There are probably good ways to improve this, but it's fully-functional now.

0 Karma

Shashank_87
Explorer

@wmyersas Thanks for your response. This logic also works but a bit messy. I would just go with creation of 2 reports and schedule it on monday and thursday respectively. But Thanks for the response. I am saving this query. Might be helpful in future. 🙂

wmyersas
Builder

Scheduling two separate reports is easier in one regard - but you do now have to maintain two things instead of one 🙂

Personally, I'd prefer to have one that I just scheduled every day across the last 4-7 days, and get the results when there actually are some (Mo & Th) 🙂

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Shashank_87,
I had the same problem and I solved creating two reports with the same search and different timeframe, one scheduled for Monday and the other for Thursday.

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...