How to fetch the events with the time greater than...

Real_captain

Hi Team

Can you please let me know how it is possible to fetch the events with the time greater than the time of the 1st event in the dashboard.

Example: I've 3 jobs executed every day at around below timings:
Job1 : Around 10 PM ( Day D)
Job2 : Around 3 AM ( Day D + 1)
Job3 : Around 6 AM ( Day D + 1)

I am fetching the latest of the Job1/Job2/Job3 to show in the dashboard and want the result in the below format.

If we are after 5 PM - 10 PM ,
Job1 : PLANNED
Job2 : PLANNED
Job3 : PLANNED

If we are at 11 PM ,
Job1 : Executed at 10:00
Job2 : PLANNED
Job3 : PLANNED

If we are 4 AM ,
Job1 : Executed at 10:00
Job2 : Executed at 03:00
Job3 : PLANNED

If we are 7 AM ,
Job1 : Executed at 10:00
Job2 : Executed at 03:00
Job3 : Executed at 06:00

If we are 4 PM ,
Job1 : PLANNED
Job2 : PLANNED
Job3 : PLANNED

If we are at 5 PM ,
Job1 : PLANNED
Job2 : PLANNED
Job3 : PLANNED

We want to consider the start of day at 5 PM and end at next day at 5 PM instead of using last 24 hours / today.

Real_captain

Hi Everyone

Query1:
Thanks for suggesting multiple solutions. I am able to fetch the details correctly but i am not able to set the business day as below:
Business day starts at 5 PM (D) and ends at 5 PM (D+1)

I've attached the final set of code. Can you please help to answer this last question to set the business day as 5 PM to 5 PM.

Query2:
Also, for Monday , business day should be 5 PM Friday to 5 PM Monday. is it possible ??

I've attached final source code.
Can you please help to provide me the updates required in the source code to solve the above 2 queries.

Real_captain

Hello All
Thanks for suggesting multiple solutions. I am able to fetch the details correctly but i am not able to set the business day as below:
Business day starts at 5 PM (D) and ends at 5 PM (D+1)

I've attached the final set of code. Can you please help to answer this last question to set the business day as 5 PM to 5 PM.

iamsahilshaiks

Don't know If I am correct but - As your business day starts at 5 PM (D) and ends at 5 PM (D+1), you need to adjust _time accordingly and you should extract the latest execution time for Job1, Job2, and Job3 within this custom day window. Based on the current time, determine whether a job is PLANNED or EXECUTED.

| makeresults count=1
| eval now=relative_time(now(), "@d+17h") # Adjusting the custom day window (5 PM as the start of the day)
| append [search index=your_index
sourcetype=your_sourcetype
earliest=-1d@d+17h latest=@d+17h
| eval job_status=if(_time <= now, strftime(_time, "Executed at %H:%M"), "PLANNED")
| stats latest(_time) as job_time latest(job_status) as job_status by job_name
]
| eval job_status=if(isnull(job_status), "PLANNED", job_status)
| table job_name job_status

If _time is stored in epoch format, no need to convert it.
Adjust the @d+17h if your business day has different start hours.

Note: Please use the above query using your own index and sourcetype name.

Thanks,
Shaik Sahil

Splunk Core Certified Consultant

PickleRick

No! Don't do makeresults | append [ a big search ].

This way you're on your best path to shoot yourself in the foot with prematurely finalized subsearch!

No to mention that the now in the subsearch has nothing to do with the now in the outer search.

ITWhisperer

Since you only want to consider your day to start at the previous 5pm, you could try adjusting your search earliest time appropriately

index = events_prod_cdp_penalty_esa source="SYSLOG" sourcetype=zOS-SYSLOG-Console ( TERM(VVF006H) OR TERM(VVF003H) OR TERM(VVZJ1BH) OR TERM(VVZJ1CH) OR TERM(VVZJ1DH) OR TERM(VVZJ1EH) OR TERM(HVVZK3A) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") [| makeresults
    | eval earliest=relative_time(now(),"-17h@d+17h")]

Real_captain

@ITWhisperer
Thanks, its working fine when we are analyzing the current day (Yesterday 5 Pm to today 5 PM).

Is it possible to replace now () with the time provided by the Input time panel.
i.e
----if i select today in the Input time panel, it will consider the start of day as 5 PM of today
----if i select yesterday in the Input time panel, it will consider the start of day as 5 PM of yesterday and end of day as 5 PM of today
----if i select 31/03/2025 in the Input time panel, it will consider the start of day as 5 PM of 31/03/2025 and end of day as 5 PM of 01/04/2025

ITWhisperer

Assuming your search is already using time input to set the time frame, the search can override this as shown below

index = events_prod_cdp_penalty_esa source="SYSLOG" sourcetype=zOS-SYSLOG-Console ( TERM(VVF006H) OR TERM(VVF003H) OR TERM(VVZJ1BH) OR TERM(VVZJ1CH) OR TERM(VVZJ1DH) OR TERM(VVZJ1EH) OR TERM(HVVZK3A) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") [| makeresults
    | addinfo
    | eval earliest=relative_time(info_min_time,"-17h@d+17h")
    | eval latest=relative_time(earliest,"+24h")
    | table earliest latest]

Real_captain

Thanks @ITWhisperer
Can you please let me know how to set the field "info_min_time" ?

I've used the Time input as below :
<input type="time" token="field1">
<label>TIME</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
<change>
<eval token="token_time.earliest_epoch">if(isnum('earliest'),'earliest',relative_time(now(),'earliest')</eval>
<eval token="token_time.latest_epoch">if(isnum('latest'),'latest',relative_time(now(),'latest')</eval>
</change>
</input>

ITWhisperer

info_min_time comes from the addinfo command. The values it provide comes from whatever timeframe you have set your search to run with. Without seeing your complete dashboard, it is hard to say what tokens you are using for your search. But since you already appear to have a time selection input, with a token name of field1, why not use field1.earliest as your panel search earliest and field1.latest as your panel search latest?

isoutamo

Maybe this old post helps you? https://community.splunk.com/t5/Splunk-Search/dashboard-time-token-with-multiple-ealiest-latest-sear...

Real_captain

Thanks Ismo for your quick reply.

I've attached the splunk query , csv file and the output. Can you please let me know how can i use those values and _time from indexed data from ran job's log.

Real_captain

Csv file is attached.

Real_captain

Sample output.

isoutamo

Hi

I think that you should create e.g. a csv lookup file which contains something like

job, realtive day, start time, end time
job1, 0, 22:00, 00:00
job2, 1, 03:00, 05:00
job3, 1, 06:00, 08:00

Maybe some other fields if/as needed. Then use those values and _time from indexed data from ran job's log. Also relative_time to adjust/check time in past and future.

r. Ismo

How to fetch the events with the time greater than the time of the 1st event in the dashboard ?

monitoring console

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies