Reporting

How to schedule 3 reports only on weekdays?

kkossery
Communicator

I'm new to Splunk and being asked to configure it to submit a report generated at 8,12 and 4 PM weekdays to the management.
How do I design the rule to first search for events happened 12PM-8AM, between 8AM and 12 PM and between 12 PM and 4 PM.
I'm getting Splunk to search Event ID's during the above time period if that helps.

Thank you for your help.

Tags (2)
0 Karma
1 Solution

somesoni2
Revered Legend

Since there is no information of the report that you want to create, I am assuming its getting the count, try this. (also assumed period 12PM-8AM is actually 12AM-8AM

your base search | eval hour=strftime(_time,"%H") | eval Period=case(hour>=0 AND hour<8,"12PM-8AM",hour>=8 AND hour<12,"8AM-12PM",hour>=12 AND hour<16,"12PM-4PM") | stats count by Period

This should give you output like this

Period                count
.... ...........................
12PM-8AM             count1
8AM-12PM             count2
12PM-4PM             count3

Was this you're looking for?

Update


Try this.

Create 3 scheduled search with same search string with following specification.

Search 1:
Search string: <<Your search string>>>
Start time: -8h@h
Finish time: @h
Cron Schedule: 0 8 * * *

This will run a 8AM everyday and will process data from 8hr back (12AM) to current hour (8AM)

Search 2:
Search string: <<Your search string>>>
Start time: -4h@h
Finish time: @h
Cron Schedule: 0 12 * * *

This will run a 12PM everyday and will process data from 4 hr back (8AM) to current hour (12PM)

Search 3:
Search string: <<Your search string>>>
Start time: -4h@h
Finish time: @h
Cron Schedule: 0 16 * * *

This will run a 4PM everyday and will process data from 4 hr back (12PM) to current hour (4PM)

View solution in original post

somesoni2
Revered Legend

Since there is no information of the report that you want to create, I am assuming its getting the count, try this. (also assumed period 12PM-8AM is actually 12AM-8AM

your base search | eval hour=strftime(_time,"%H") | eval Period=case(hour>=0 AND hour<8,"12PM-8AM",hour>=8 AND hour<12,"8AM-12PM",hour>=12 AND hour<16,"12PM-4PM") | stats count by Period

This should give you output like this

Period                count
.... ...........................
12PM-8AM             count1
8AM-12PM             count2
12PM-4PM             count3

Was this you're looking for?

Update


Try this.

Create 3 scheduled search with same search string with following specification.

Search 1:
Search string: <<Your search string>>>
Start time: -8h@h
Finish time: @h
Cron Schedule: 0 8 * * *

This will run a 8AM everyday and will process data from 8hr back (12AM) to current hour (8AM)

Search 2:
Search string: <<Your search string>>>
Start time: -4h@h
Finish time: @h
Cron Schedule: 0 12 * * *

This will run a 12PM everyday and will process data from 4 hr back (8AM) to current hour (12PM)

Search 3:
Search string: <<Your search string>>>
Start time: -4h@h
Finish time: @h
Cron Schedule: 0 16 * * *

This will run a 4PM everyday and will process data from 4 hr back (12PM) to current hour (4PM)

kkossery
Communicator

Thank you. I didn't know you could do this. I'll see if I can build from here. Any helpful docs for us beginners for writing queries like these?

0 Karma

somesoni2
Revered Legend

See the updated answer.

0 Karma

kkossery
Communicator

This will run every day or will be scheduled at 8 AM, 12 PM and 4 PM and send the reports

0 Karma

somesoni2
Revered Legend

Are you looking for the data for a specific day? means today or yesterday something like that?

0 Karma

kkossery
Communicator

Thanks so much. This is the base search I'm doing.
sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742"
Based on your query, I'm going to get a large output as we have historical data which I want to eliminate. I only want output that has happened between those times and not past events.
Your query has really helped it narrow down but I'm stuck with ignoring past historical data.

0 Karma

kkossery
Communicator

I was not clear on my question. It is the same search for these 3 different time periods.

0 Karma

somesoni2
Revered Legend

You want to generate 3 different reports/searches that will run daily on weekdays and process data form 12PM-8AM, between 8AM and 12 PM and between 12 PM and 4 PM OR its the same search/report that should run for these 3 different time periods?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...