Reporting

Run a search and generate a report every morning at 7:30AM for the previous day (from 00:00:00 to 23:59:59)

nelsoko
Engager

I am struggling to figure out the search I need to generate a report from the previous day. I want to capture all assigned IP address on our network from 00:00:00am until 23:59:00pm everyday and email it to our IT department in the morning @ 7:30.

i have tried:
dhcp* punct=":::___...::::::--/" earliest=@d latest=@d+23h+55m ( this is okay as long as
I run the search at the right time.)

I am just wondering if there is some other way.

Thanks.

Tags (2)
0 Karma
1 Solution

mcmaster
Communicator

For your earliest time try "-1d@d" and for the latest time try "@d". At 7:30AM, -1d@d is 00:00:00 of the previous day, and @d is 00:00:00 of the current day.

Here's the reference for relative time modifiers in Splunk:

http://docs.splunk.com/Documentation/Splunk/6.0.3/SearchReference/SearchTimeModifiers#How_to_specify...

"@d" means snap to the day, which will always give you 00:00:00. -1 means, obviously, 1 day in the past. @d by itself always gives you midnight of the current day.

Hope this helps!

View solution in original post

mcmaster
Communicator

For your earliest time try "-1d@d" and for the latest time try "@d". At 7:30AM, -1d@d is 00:00:00 of the previous day, and @d is 00:00:00 of the current day.

Here's the reference for relative time modifiers in Splunk:

http://docs.splunk.com/Documentation/Splunk/6.0.3/SearchReference/SearchTimeModifiers#How_to_specify...

"@d" means snap to the day, which will always give you 00:00:00. -1 means, obviously, 1 day in the past. @d by itself always gives you midnight of the current day.

Hope this helps!

nelsoko
Engager

Thanks for the input. I will give that a try. With the statement you have provided it wouldn't matter what time I ran the search I would just be getting the results from the previous day. The only thing to change would be the cron schedule. It's there a way to make the report come as a single pdf file instead of multiple files?

0 Karma

linu1988
Champion

the cron schedule will be 30 7 * * * in the search

earliest=-1d@d latest=@d

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...