Reporting

How do I generate a report based on date on every Friday?

splunkrocks2014
Communicator

I wanted to generate a summary report for number of saved searches triggered based on the date (as column headers) on every Friday. For instance,

savedsearch_name  05/27/16   06/03/16   06/10/16 
===============   =======    ========  ========
abc                    12          23        42
xyz                    99          12        11

Any clues?

Thanks.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=_internal sourcetype=scheduler status!=delegate* | eval day=strftime(dispatch_time,"%A") | where day="Friday" | eval Date=strftime(dispatch_time,"%m/%d/%Y") | chart count over savedsearch_name by Date

Update

This should get you what you want. Summarize weekly execution count and show them on Friday date.

index=_internal sourcetype=scheduler status!=delegate*  | eval _time=relative_time(dispatch_time,"@w+5d")| eval Date=strftime(dispatch_time,"%m/%d/%Y") | chart count over savedsearch_name by Date
0 Karma

splunkrocks2014
Communicator

Sorry, my initial statement is not clear. The query works on the specific Date (or day), but I would like to get the weekly summary reported on every Friday.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Ok.. That will be simpler. Just remoave the day calculation and filter.

index=_internal sourcetype=scheduler status!=delegate*  | eval Date=strftime(dispatch_time,"%m/%d/%Y") | chart count over savedsearch_name by Date
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Select the appropriate time range to select the full week.

0 Karma

splunkrocks2014
Communicator

The summary still shows in a daily basis.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @splunkrocks2014 - If the updated answer from @somesoni2 provided your desired result, please don't forget to resolve the post by clicking on "Accept" below the answer. Thank you!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try the updated answer.

0 Karma

sundareshr
Legend

Try this

 index=_internal sourcetype=scheduler status!=delegate*  | bin span=1w dispatch_time | eval Date=strftime(dispatch_time,"%m/%d/%Y") | chart count over savedsearch_name by Date
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...