Reporting

Run a search and generate a report every morning at 7:30AM for the previous day (from 00:00:00 to 23:59:59)

nelsoko
Engager

I am struggling to figure out the search I need to generate a report from the previous day. I want to capture all assigned IP address on our network from 00:00:00am until 23:59:00pm everyday and email it to our IT department in the morning @ 7:30.

i have tried:
dhcp* punct=":::___...::::::--/" earliest=@d latest=@d+23h+55m ( this is okay as long as
I run the search at the right time.)

I am just wondering if there is some other way.

Thanks.

Tags (2)
0 Karma
1 Solution

mcmaster
Communicator

For your earliest time try "-1d@d" and for the latest time try "@d". At 7:30AM, -1d@d is 00:00:00 of the previous day, and @d is 00:00:00 of the current day.

Here's the reference for relative time modifiers in Splunk:

http://docs.splunk.com/Documentation/Splunk/6.0.3/SearchReference/SearchTimeModifiers#How_to_specify...

"@d" means snap to the day, which will always give you 00:00:00. -1 means, obviously, 1 day in the past. @d by itself always gives you midnight of the current day.

Hope this helps!

View solution in original post

mcmaster
Communicator

For your earliest time try "-1d@d" and for the latest time try "@d". At 7:30AM, -1d@d is 00:00:00 of the previous day, and @d is 00:00:00 of the current day.

Here's the reference for relative time modifiers in Splunk:

http://docs.splunk.com/Documentation/Splunk/6.0.3/SearchReference/SearchTimeModifiers#How_to_specify...

"@d" means snap to the day, which will always give you 00:00:00. -1 means, obviously, 1 day in the past. @d by itself always gives you midnight of the current day.

Hope this helps!

nelsoko
Engager

Thanks for the input. I will give that a try. With the statement you have provided it wouldn't matter what time I ran the search I would just be getting the results from the previous day. The only thing to change would be the cron schedule. It's there a way to make the report come as a single pdf file instead of multiple files?

0 Karma

linu1988
Champion

the cron schedule will be 30 7 * * * in the search

earliest=-1d@d latest=@d

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...