Dashboards & Visualizations

Set time frame of Splunk Dashboard report

Shashank_87
Explorer

Hi, I am working on a dashboard report which i need to schedule bi-weekly i.e. Monday and Thursday morning. I have the Cron expression ready (30 08 * * 1,4) but how do i change the time dynamically?
For example When report runs on Monday morning, it should fetch the data of Thursday, Friday, Saturday and Sunday. And when it runs on Thursday it should fetch the data from Monday, Tuesday and Wednesday.
Now if i set the time as "Last 4 days", Monday report works fine but Thursday report fetches the data of Sunday as well which is not required.
Can someone help? Any suggestion or hint is appreciated.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi Shashank_87,
I had the same problem and I solved creating two reports with the same search and different timeframe, one scheduled for Monday and the other for Thursday.

Ciao.
Giuseppe

View solution in original post

0 Karma

wmyersas
Builder

Tweak the days for your case (I did with Tue & Fri, because I tested it today (Tuesday)):

index=ndx sourcetype=srctp
| eval dow=strftime(_time,"%a")
| eval today=strftime(now(),"%a")
| eval keept=if(today="Tue","Fri,Sat,Sun,Mon","No")
| makemv delim="," keept
| eval keepf=if(today="Fri","Tue,Wed,Thu","No")
| makemv delim="," keepf
| eval keep=if((mvfind(keept,'dow')>=0 OR mvfind(keepf,'dow')>=0),"yes","no")
| search keep="yes"
| stats count by dow today

This adds 5 fields to each event ( dow, today, keept, keepf, keep ), and keeps events only if the event's day of the week ( dow ) is found in one of the multivalue keep[f|t] fields.

Fwiw, this will also "work" every day of the week - but it will only return results when you run it on either Tuesday or Friday (see the today field).

There are probably good ways to improve this, but it's fully-functional now.

0 Karma

Shashank_87
Explorer

@wmyersas Thanks for your response. This logic also works but a bit messy. I would just go with creation of 2 reports and schedule it on monday and thursday respectively. But Thanks for the response. I am saving this query. Might be helpful in future. 🙂

wmyersas
Builder

Scheduling two separate reports is easier in one regard - but you do now have to maintain two things instead of one 🙂

Personally, I'd prefer to have one that I just scheduled every day across the last 4-7 days, and get the results when there actually are some (Mo & Th) 🙂

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Shashank_87,
I had the same problem and I solved creating two reports with the same search and different timeframe, one scheduled for Monday and the other for Thursday.

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...