I wanted to generate a summary report for number of saved searches triggered based on the date (as column headers) on every Friday. For instance,
savedsearch_name 05/27/16 06/03/16 06/10/16
=============== ======= ======== ========
abc 12 23 42
xyz 99 12 11
Any clues?
Thanks.
Give this a try
index=_internal sourcetype=scheduler status!=delegate* | eval day=strftime(dispatch_time,"%A") | where day="Friday" | eval Date=strftime(dispatch_time,"%m/%d/%Y") | chart count over savedsearch_name by Date
Update
This should get you what you want. Summarize weekly execution count and show them on Friday date.
index=_internal sourcetype=scheduler status!=delegate* | eval _time=relative_time(dispatch_time,"@w+5d")| eval Date=strftime(dispatch_time,"%m/%d/%Y") | chart count over savedsearch_name by Date
Sorry, my initial statement is not clear. The query works on the specific Date (or day), but I would like to get the weekly summary reported on every Friday.
Ok.. That will be simpler. Just remoave the day calculation and filter.
index=_internal sourcetype=scheduler status!=delegate* | eval Date=strftime(dispatch_time,"%m/%d/%Y") | chart count over savedsearch_name by Date
Select the appropriate time range to select the full week.
The summary still shows in a daily basis.
Hi @splunkrocks2014 - If the updated answer from @somesoni2 provided your desired result, please don't forget to resolve the post by clicking on "Accept" below the answer. Thank you!
Try the updated answer.
Try this
index=_internal sourcetype=scheduler status!=delegate* | bin span=1w dispatch_time | eval Date=strftime(dispatch_time,"%m/%d/%Y") | chart count over savedsearch_name by Date