Reporting

How to schedule 3 reports only on weekdays?

kkossery
Communicator

I'm new to Splunk and being asked to configure it to submit a report generated at 8,12 and 4 PM weekdays to the management.
How do I design the rule to first search for events happened 12PM-8AM, between 8AM and 12 PM and between 12 PM and 4 PM.
I'm getting Splunk to search Event ID's during the above time period if that helps.

Thank you for your help.

Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Since there is no information of the report that you want to create, I am assuming its getting the count, try this. (also assumed period 12PM-8AM is actually 12AM-8AM

your base search | eval hour=strftime(_time,"%H") | eval Period=case(hour>=0 AND hour<8,"12PM-8AM",hour>=8 AND hour<12,"8AM-12PM",hour>=12 AND hour<16,"12PM-4PM") | stats count by Period

This should give you output like this

Period                count
.... ...........................
12PM-8AM             count1
8AM-12PM             count2
12PM-4PM             count3

Was this you're looking for?

Update


Try this.

Create 3 scheduled search with same search string with following specification.

Search 1:
Search string: <<Your search string>>>
Start time: -8h@h
Finish time: @h
Cron Schedule: 0 8 * * *

This will run a 8AM everyday and will process data from 8hr back (12AM) to current hour (8AM)

Search 2:
Search string: <<Your search string>>>
Start time: -4h@h
Finish time: @h
Cron Schedule: 0 12 * * *

This will run a 12PM everyday and will process data from 4 hr back (8AM) to current hour (12PM)

Search 3:
Search string: <<Your search string>>>
Start time: -4h@h
Finish time: @h
Cron Schedule: 0 16 * * *

This will run a 4PM everyday and will process data from 4 hr back (12PM) to current hour (4PM)

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Since there is no information of the report that you want to create, I am assuming its getting the count, try this. (also assumed period 12PM-8AM is actually 12AM-8AM

your base search | eval hour=strftime(_time,"%H") | eval Period=case(hour>=0 AND hour<8,"12PM-8AM",hour>=8 AND hour<12,"8AM-12PM",hour>=12 AND hour<16,"12PM-4PM") | stats count by Period

This should give you output like this

Period                count
.... ...........................
12PM-8AM             count1
8AM-12PM             count2
12PM-4PM             count3

Was this you're looking for?

Update


Try this.

Create 3 scheduled search with same search string with following specification.

Search 1:
Search string: <<Your search string>>>
Start time: -8h@h
Finish time: @h
Cron Schedule: 0 8 * * *

This will run a 8AM everyday and will process data from 8hr back (12AM) to current hour (8AM)

Search 2:
Search string: <<Your search string>>>
Start time: -4h@h
Finish time: @h
Cron Schedule: 0 12 * * *

This will run a 12PM everyday and will process data from 4 hr back (8AM) to current hour (12PM)

Search 3:
Search string: <<Your search string>>>
Start time: -4h@h
Finish time: @h
Cron Schedule: 0 16 * * *

This will run a 4PM everyday and will process data from 4 hr back (12PM) to current hour (4PM)

kkossery
Communicator

Thank you. I didn't know you could do this. I'll see if I can build from here. Any helpful docs for us beginners for writing queries like these?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

See the updated answer.

0 Karma

kkossery
Communicator

This will run every day or will be scheduled at 8 AM, 12 PM and 4 PM and send the reports

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are you looking for the data for a specific day? means today or yesterday something like that?

0 Karma

kkossery
Communicator

Thanks so much. This is the base search I'm doing.
sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742"
Based on your query, I'm going to get a large output as we have historical data which I want to eliminate. I only want output that has happened between those times and not past events.
Your query has really helped it narrow down but I'm stuck with ignoring past historical data.

0 Karma

kkossery
Communicator

I was not clear on my question. It is the same search for these 3 different time periods.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You want to generate 3 different reports/searches that will run daily on weekdays and process data form 12PM-8AM, between 8AM and 12 PM and between 12 PM and 4 PM OR its the same search/report that should run for these 3 different time periods?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...