Reporting

How to include searched date or time range in alert report

djbyler
Explorer

When I perform a scheduled search (or realtime search) that triggers an alert, how can I include the effective search range (dates/times) in the alert email?

For example: "Splunk Alert: Widgets sold between 10/25 08:00:00 and 10/25 18:00:00", where the search range was 8 am through 6 pm today?

Tags (1)

lguinn2
Legend

At the end of the search, you could do this:

... | addinfo 
| eval searchStartTime=strftime(info_min_time,"%x %X") 
| eval searchEndTime=strftime(info_max_time,"%x %X")

Now the search range will be part of your search results. This is a simple thing to do.

If you really want to change the format of the alert email, take a look at this answer:

How do I customize schedule search alert emails

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!