- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Re: Is there a way to include the time range used ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have several scheduled searches (reports) which are delivered every month in .pdf format via email.
Is there a way to include the time range the searches applied in these results (I mean which data ranges do the searches refer)?
It would be great if these info could be visible in the pdf pages...
Thanks,
Skender
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| addinfo | eval start=strftime(info_min_time, "%Y-%m-%d %T") | eval end=strftime(info_max_time, "%Y-%m-%d %T")
Then you could use the tokens $start$ and $end$ in your report
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can always do this for any report:
yoursearchhere
| yourreporthere
| addinfo
| eval TimeRange="Time range for report is from " . strftime(info_min_time,"%x %X") . " to " .
strftime(info_max_time,"%x %X")
However, it will probably look better if you use some other name in the eval instead of TimeRange. Here is an example
index=web status=404
| stats count by host status
| appendpipe [ addinfo
| eval host="Time range for report is from " . strftime(info_min_time,"%x %X") . " to " .
strftime(info_max_time,"%x %X") ]
This will put the "footnote" about the time range into the host column of the report. You can also play around with sorting, etc. to get the timerange information to the top of the report.
If you are creating a dashboard, you can put the time heading in its own panel at the top of the dashboard. However, you have to run some search before you get the addinfo data. So this would work
index=main | head 1
| addinfo
| eval 'Start Time'=" strftime(info_min_time,"%x %X")
| eval 'End Time'= strftime(info_max_time,"%x %X")
| table "Start Time" "End Time"
Save this as a report and add it to any dashboard - or use it as an inline search in any dashboard.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used the variables in the edit alert, email action:
"The alert condition for "$name$" was triggered.
Results' time range:
$job.earliestTime$ --- $job.latestTime$"
Skender
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The aim is to add this info as a title of the email which I receive when the trigger happens...
How to put them as tokens in the email trigger action (like the default search name for example: $name$)?
Thanks,
Skender
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| addinfo | eval start=strftime(info_min_time, "%Y-%m-%d %T") | eval end=strftime(info_max_time, "%Y-%m-%d %T")
Then you could use the tokens $start$ and $end$ in your report
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I edited the email alert of the scheduled search and I noticed an option which is called Trigger Time.
What does it mean? is it the time range the search includes?
Has someone used alert email tokens?
Skender
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What if I inserted the email alert: Time range is: $range$ where range is the token which used from the time range picker input...
Skender
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
