How can I perform a scheduled search that searches...

prabhu77749 · ‎10-06-2017

Need help..

Hi,

I can run a search for 7 days and do eval to get data for particular hour but that seems a costly operation.

I am thinking to get past hour value to some variable like abc= stfrtime(_time,@H) and assign to date_hour
date_hour=abc and do a search for past 7 days.

Not able to find any Splunk field to use. Able to

index=abc_core search_test=* earliest=-1h@h latest=-0h@h | stats count as TodayStats by search_test |join search_test [search index=abc_core search_test=* (earliest=-25h@h latest=-24h@h) OR (earliest=-49h@h latest=-48h@h) OR (earliest=-73h@h latest=-72h@h) OR (earliest=-97h@h latest=-96h@h) OR (earliest=-121h@h latest=-120h@h) OR (earliest=-145h@h latest=-144h@h) OR (earliest=-169h@h latest=-168h@h) | stats count(search_test) as Count by search_test | eval WeeklyAvg=round(Count/7,0) | eval WeeklyAvg75=(Count/7)*0.75| table client_app_id WeeklyAvg WeeklyAvg75]|

index=abc_core search_test=* earliest=-7d@d latest=now | eval abc=stfrtime(timestamp/1000,"%H) | where date_hour=abc

Need help to do simpler and efficient way ..

Basic requirement - Not to search for all 7 days data and do eval and condition , but need to give some query code upfront to search for only that hour.. Need to use as dynamic saved search to run every hour.

somesoni2 · ‎10-06-2017

Give this a try

index=abc_core search_test=* earliest=-7d@h latest=@h
| eval date_hour=strftime(_time,"%H") | where date_hour=[| gentimes start=-1 | eval search=strftime(relative_time(now(),"-1h@h"),"%H") | table search ]
| eval day=strftime(_time,"%F") 
| chart count over search_test by day

How can I perform a scheduled search that searches for one specific hour of each day?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!