I'm new to Splunk and being asked to configure it to submit a report generated at 8,12 and 4 PM weekdays to the management.
How do I design the rule to first search for events happened 12PM-8AM, between 8AM and 12 PM and between 12 PM and 4 PM.
I'm getting Splunk to search Event ID's during the above time period if that helps.
Thank you for your help.
Since there is no information of the report that you want to create, I am assuming its getting the count, try this. (also assumed period 12PM-8AM is actually 12AM-8AM
your base search | eval hour=strftime(_time,"%H") | eval Period=case(hour>=0 AND hour<8,"12PM-8AM",hour>=8 AND hour<12,"8AM-12PM",hour>=12 AND hour<16,"12PM-4PM") | stats count by Period
This should give you output like this
Period count
.... ...........................
12PM-8AM count1
8AM-12PM count2
12PM-4PM count3
Was this you're looking for?
Update
Try this.
Create 3 scheduled search with same search string with following specification.
Search 1:
Search string: <<Your search string>>>
Start time: -8h@h
Finish time: @h
Cron Schedule: 0 8 * * *
This will run a 8AM everyday and will process data from 8hr back (12AM) to current hour (8AM)
Search 2:
Search string: <<Your search string>>>
Start time: -4h@h
Finish time: @h
Cron Schedule: 0 12 * * *
This will run a 12PM everyday and will process data from 4 hr back (8AM) to current hour (12PM)
Search 3:
Search string: <<Your search string>>>
Start time: -4h@h
Finish time: @h
Cron Schedule: 0 16 * * *
This will run a 4PM everyday and will process data from 4 hr back (12PM) to current hour (4PM)
Since there is no information of the report that you want to create, I am assuming its getting the count, try this. (also assumed period 12PM-8AM is actually 12AM-8AM
your base search | eval hour=strftime(_time,"%H") | eval Period=case(hour>=0 AND hour<8,"12PM-8AM",hour>=8 AND hour<12,"8AM-12PM",hour>=12 AND hour<16,"12PM-4PM") | stats count by Period
This should give you output like this
Period count
.... ...........................
12PM-8AM count1
8AM-12PM count2
12PM-4PM count3
Was this you're looking for?
Update
Try this.
Create 3 scheduled search with same search string with following specification.
Search 1:
Search string: <<Your search string>>>
Start time: -8h@h
Finish time: @h
Cron Schedule: 0 8 * * *
This will run a 8AM everyday and will process data from 8hr back (12AM) to current hour (8AM)
Search 2:
Search string: <<Your search string>>>
Start time: -4h@h
Finish time: @h
Cron Schedule: 0 12 * * *
This will run a 12PM everyday and will process data from 4 hr back (8AM) to current hour (12PM)
Search 3:
Search string: <<Your search string>>>
Start time: -4h@h
Finish time: @h
Cron Schedule: 0 16 * * *
This will run a 4PM everyday and will process data from 4 hr back (12PM) to current hour (4PM)
Thank you. I didn't know you could do this. I'll see if I can build from here. Any helpful docs for us beginners for writing queries like these?
See the updated answer.
This will run every day or will be scheduled at 8 AM, 12 PM and 4 PM and send the reports
Are you looking for the data for a specific day? means today or yesterday something like that?
Thanks so much. This is the base search I'm doing.
sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742"
Based on your query, I'm going to get a large output as we have historical data which I want to eliminate. I only want output that has happened between those times and not past events.
Your query has really helped it narrow down but I'm stuck with ignoring past historical data.
I was not clear on my question. It is the same search for these 3 different time periods.
You want to generate 3 different reports/searches that will run daily on weekdays and process data form 12PM-8AM, between 8AM and 12 PM and between 12 PM and 4 PM OR its the same search/report that should run for these 3 different time periods?