Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Run a search and generate a report every morning at 7:30AM for the previous day (from 00:00:00 to 23:59:59)

nelsoko
Engager
‎04-26-2014 07:25 PM

I am struggling to figure out the search I need to generate a report from the previous day. I want to capture all assigned IP address on our network from 00:00:00am until 23:59:00pm everyday and email it to our IT department in the morning @ 7:30.

i have tried:
dhcp* punct=":::___...::::::--/" earliest=@d latest=@d+23h+55m ( this is okay as long as
I run the search at the right time.)

I am just wondering if there is some other way.

Thanks.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mcmaster
Communicator
‎04-26-2014 08:05 PM

For your earliest time try "-1d@d" and for the latest time try "@d". At 7:30AM, -1d@d is 00:00:00 of the previous day, and @d is 00:00:00 of the current day.

Here's the reference for relative time modifiers in Splunk:

http://docs.splunk.com/Documentation/Splunk/6.0.3/SearchReference/SearchTimeModifiers#How_to_specify...

"@d" means snap to the day, which will always give you 00:00:00. -1 means, obviously, 1 day in the past. @d by itself always gives you midnight of the current day.

Hope this helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

mcmaster
Communicator
‎04-26-2014 08:05 PM

For your earliest time try "-1d@d" and for the latest time try "@d". At 7:30AM, -1d@d is 00:00:00 of the previous day, and @d is 00:00:00 of the current day.

Here's the reference for relative time modifiers in Splunk:

http://docs.splunk.com/Documentation/Splunk/6.0.3/SearchReference/SearchTimeModifiers#How_to_specify...

"@d" means snap to the day, which will always give you 00:00:00. -1 means, obviously, 1 day in the past. @d by itself always gives you midnight of the current day.

Hope this helps!

Reply
Solved! Jump to solution

nelsoko
Engager
‎04-27-2014 10:46 AM

Thanks for the input. I will give that a try. With the statement you have provided it wouldn't matter what time I ran the search I would just be getting the results from the previous day. The only thing to change would be the cron schedule. It's there a way to make the report come as a single pdf file instead of multiple files?

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎04-27-2014 12:22 AM

the cron schedule will be 30 7 * * * in the search

earliest=-1d@d latest=@d

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...