Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Prior day Report on Monday
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a report that shows me the items installed on my systems for the prior day. the only problem is Monday as no one works on Sunday the report is always blank but should show for all day Friday and Saturday and Sunday. Mondays report should show for Friday and the weekend
Can i do this with the same search or do I have to create a new search?
index=ea sourcetype="*wineventlog:application" EventCode=11707 OR EventCode=11708 OR EventCode=11728 host!="*dev*" earliest=-1d@d latest=@d
| eval date_wday = strftime(_time, "%A")
| dedup _raw
| rex field=Message "(?s)Product: (?<product_name>.*) --"
| table _time date_wday host User product_name EventCode
| eval status=case(EventCode == 11708, "Failed", EventCode == 11707, "Success", EventCode == 11728, "Success")
| rename _time AS Time host AS Server product_name AS "Product Installed" status AS "Status"
| convert timeformat="%m/%d/%Y - %H:%M:%S" ctime(Time)
| fields Time Server User "Product Installed" Status EventCode`
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used a subsearch to populate "earliest" and "latest".
This works:
index=main [ search index=_internal | head 1 | eval today=strftime(time(), "%a") | eval earliest=if(today="Mon", "-3d@d", "-1d@d") | eval latest="@d" | return earliest latest ]
I started here:
[ | stats count | eval earliest=if(date_wday="monday", "-3d@d", "-1d@d") | eval latest="@d" | table earliest, latest ]
That includes the tabular subsearch output, so I get a parse error from the search.
Switch instead to return:
[ | stats count | eval earliest=if(date_wday="monday", "-3d@d", "-1d@d") | eval latest="@d" | return earliest, latest ]
From here I can use the search inspector to see what the subsearch evaluates to. It seems that it always comes back as -1d@d. I think you're right about the context for "date_wday". If I change my | stats to something else "fast", like "search index=_internal | head 1", I do get date_wday, but that would be subject to the time of the one event returned. I think instead we should consider an eval / strptime based approach in relation to "now".
This is what I used to debug my settings until I had the today condition correct:
index=_internal | head 1 | eval today=strftime(time(), "%a") | eval earliest=if(today="Mon", "-3d@d", "-1d@d") | eval latest="@d" | table earliest, latest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used a subsearch to populate "earliest" and "latest".
This works:
index=main [ search index=_internal | head 1 | eval today=strftime(time(), "%a") | eval earliest=if(today="Mon", "-3d@d", "-1d@d") | eval latest="@d" | return earliest latest ]
I started here:
[ | stats count | eval earliest=if(date_wday="monday", "-3d@d", "-1d@d") | eval latest="@d" | table earliest, latest ]
That includes the tabular subsearch output, so I get a parse error from the search.
Switch instead to return:
[ | stats count | eval earliest=if(date_wday="monday", "-3d@d", "-1d@d") | eval latest="@d" | return earliest, latest ]
From here I can use the search inspector to see what the subsearch evaluates to. It seems that it always comes back as -1d@d. I think you're right about the context for "date_wday". If I change my | stats to something else "fast", like "search index=_internal | head 1", I do get date_wday, but that would be subject to the time of the one event returned. I think instead we should consider an eval / strptime based approach in relation to "now".
This is what I used to debug my settings until I had the today condition correct:
index=_internal | head 1 | eval today=strftime(time(), "%a") | eval earliest=if(today="Mon", "-3d@d", "-1d@d") | eval latest="@d" | table earliest, latest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the lesson and the help
your a true asset to the Splunk team
Hope the weather is nice in New Jersey
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Edited to provide a working example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This sounds like a good suggestion but I am having trouble with where to put it in the search:
search foo=* | search earliest=if(date_wday="Monday",-3d@d,-1d@d) latest=@d | table foo
This doesn't work because there is not time-frame to look for date_wday.
Maybe something like this;
search foo= [| search _time | eval earliest=if(date_wday="Monday",-3d@d,-1d@d)] latest=@d | table foo
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
