Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Set time frame of Splunk Dashboard report

Shashank_87
Explorer
‎10-15-2019 06:10 AM

Hi, I am working on a dashboard report which i need to schedule bi-weekly i.e. Monday and Thursday morning. I have the Cron expression ready (30 08 * * 1,4) but how do i change the time dynamically?
For example When report runs on Monday morning, it should fetch the data of Thursday, Friday, Saturday and Sunday. And when it runs on Thursday it should fetch the data from Monday, Tuesday and Wednesday.
Now if i set the time as "Last 4 days", Monday report works fine but Thursday report fetches the data of Sunday as well which is not required.
Can someone help? Any suggestion or hint is appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-15-2019 07:00 AM

Hi Shashank_87,
I had the same problem and I solved creating two reports with the same search and different timeframe, one scheduled for Monday and the other for Thursday.

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

wmyersas
Builder
‎10-15-2019 09:51 AM

Tweak the days for your case (I did with Tue & Fri, because I tested it today (Tuesday)):

index=ndx sourcetype=srctp
| eval dow=strftime(_time,"%a")
| eval today=strftime(now(),"%a")
| eval keept=if(today="Tue","Fri,Sat,Sun,Mon","No")
| makemv delim="," keept
| eval keepf=if(today="Fri","Tue,Wed,Thu","No")
| makemv delim="," keepf
| eval keep=if((mvfind(keept,'dow')>=0 OR mvfind(keepf,'dow')>=0),"yes","no")
| search keep="yes"
| stats count by dow today

This adds 5 fields to each event ( dow, today, keept, keepf, keep ), and keeps events only if the event's day of the week ( dow ) is found in one of the multivalue keep[f|t] fields.

Fwiw, this will also "work" every day of the week - but it will only return results when you run it on either Tuesday or Friday (see the today field).

There are probably good ways to improve this, but it's fully-functional now.

0 Karma
Reply
Solved! Jump to solution

Shashank_87
Explorer
‎10-17-2019 04:50 AM

@wmyersas Thanks for your response. This logic also works but a bit messy. I would just go with creation of 2 reports and schedule it on monday and thursday respectively. But Thanks for the response. I am saving this query. Might be helpful in future. 🙂

Reply
Solved! Jump to solution

wmyersas
Builder
‎10-17-2019 05:08 AM

Scheduling two separate reports is easier in one regard - but you do now have to maintain two things instead of one 🙂

Personally, I'd prefer to have one that I just scheduled every day across the last 4-7 days, and get the results when there actually are some (Mo & Th) 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-15-2019 07:00 AM

Hi Shashank_87,
I had the same problem and I solved creating two reports with the same search and different timeframe, one scheduled for Monday and the other for Thursday.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...