Reporting

How to schedule 3 reports only on weekdays?

Communicator

I'm new to Splunk and being asked to configure it to submit a report generated at 8,12 and 4 PM weekdays to the management.
How do I design the rule to first search for events happened 12PM-8AM, between 8AM and 12 PM and between 12 PM and 4 PM.
I'm getting Splunk to search Event ID's during the above time period if that helps.

Thank you for your help.

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Since there is no information of the report that you want to create, I am assuming its getting the count, try this. (also assumed period 12PM-8AM is actually 12AM-8AM

your base search | eval hour=strftime(_time,"%H") | eval Period=case(hour>=0 AND hour<8,"12PM-8AM",hour>=8 AND hour<12,"8AM-12PM",hour>=12 AND hour<16,"12PM-4PM") | stats count by Period

This should give you output like this

Period                count
.... ...........................
12PM-8AM             count1
8AM-12PM             count2
12PM-4PM             count3

Was this you're looking for?

Update


Try this.

Create 3 scheduled search with same search string with following specification.

Search 1:
Search string: <<Your search string>>>
Start time: -8h@h
Finish time: @h
Cron Schedule: 0 8 * * *

This will run a 8AM everyday and will process data from 8hr back (12AM) to current hour (8AM)

Search 2:
Search string: <<Your search string>>>
Start time: -4h@h
Finish time: @h
Cron Schedule: 0 12 * * *

This will run a 12PM everyday and will process data from 4 hr back (8AM) to current hour (12PM)

Search 3:
Search string: <<Your search string>>>
Start time: -4h@h
Finish time: @h
Cron Schedule: 0 16 * * *

This will run a 4PM everyday and will process data from 4 hr back (12PM) to current hour (4PM)

View solution in original post

SplunkTrust
SplunkTrust

Since there is no information of the report that you want to create, I am assuming its getting the count, try this. (also assumed period 12PM-8AM is actually 12AM-8AM

your base search | eval hour=strftime(_time,"%H") | eval Period=case(hour>=0 AND hour<8,"12PM-8AM",hour>=8 AND hour<12,"8AM-12PM",hour>=12 AND hour<16,"12PM-4PM") | stats count by Period

This should give you output like this

Period                count
.... ...........................
12PM-8AM             count1
8AM-12PM             count2
12PM-4PM             count3

Was this you're looking for?

Update


Try this.

Create 3 scheduled search with same search string with following specification.

Search 1:
Search string: <<Your search string>>>
Start time: -8h@h
Finish time: @h
Cron Schedule: 0 8 * * *

This will run a 8AM everyday and will process data from 8hr back (12AM) to current hour (8AM)

Search 2:
Search string: <<Your search string>>>
Start time: -4h@h
Finish time: @h
Cron Schedule: 0 12 * * *

This will run a 12PM everyday and will process data from 4 hr back (8AM) to current hour (12PM)

Search 3:
Search string: <<Your search string>>>
Start time: -4h@h
Finish time: @h
Cron Schedule: 0 16 * * *

This will run a 4PM everyday and will process data from 4 hr back (12PM) to current hour (4PM)

View solution in original post

Communicator

Thank you. I didn't know you could do this. I'll see if I can build from here. Any helpful docs for us beginners for writing queries like these?

0 Karma

SplunkTrust
SplunkTrust

See the updated answer.

0 Karma

Communicator

This will run every day or will be scheduled at 8 AM, 12 PM and 4 PM and send the reports

0 Karma

SplunkTrust
SplunkTrust

Are you looking for the data for a specific day? means today or yesterday something like that?

0 Karma

Communicator

Thanks so much. This is the base search I'm doing.
sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742"
Based on your query, I'm going to get a large output as we have historical data which I want to eliminate. I only want output that has happened between those times and not past events.
Your query has really helped it narrow down but I'm stuck with ignoring past historical data.

0 Karma

Communicator

I was not clear on my question. It is the same search for these 3 different time periods.

0 Karma

SplunkTrust
SplunkTrust

You want to generate 3 different reports/searches that will run daily on weekdays and process data form 12PM-8AM, between 8AM and 12 PM and between 12 PM and 4 PM OR its the same search/report that should run for these 3 different time periods?

0 Karma