Reporting

Splunk dashboard refresh every 24 hours required (00:00 to 24:00 MST Hours)

kdulhan
Explorer

Hi All,

I have a SPLUNK search query which I run on a daily basis for the past day by selecting Date Range Between 09/18/2017 00:00:00 and 09/18/2017 24:00:00 i.e. for one complete day.

I get some tabular statistics providing a summary of total records, failed and passed records for that day.

Now if I want to automate this to run for everyday to get the summary results for previous day and display it on dashboard.

After getting the summary view in tabular format using the Date range selected, I Save it as Dashboard Panel, Panel powered by Inline Search.

And then I go to View Dashboard.

Click on Edit > Edit Search (Mirror Icon) > Select Time Range as 'Use Time Picker' -> Auto Refresh Delay and click on Custom to put 24h. And then Save it.

Please let me know if it will refresh the Dashboard panel exactly after 24hours considering the Date Range provided i.e. Between 09/18/2017 00:00:00 and 09/18/2017 24:00:00. So next refresh will give me data for Date Range Between 09/19/2017 00:00:00 and 09/19/2017 24:00:00. And I need the refresh to happen on 09/20/2017 at 2:00 AM.

Thank you.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Create your search as a scheduled saved search to run once a day, then use the saved search in your dashboard instead of an inline search. That way your search only runs once per day, instead of every time someone loads the dashboard.
Saved search results are retained for 2*n, where n is your search timeframe. So, in your case, results will be available for 2 days (unless refreshed by another execution of the search).
You can then decide to refresh your dashboard panel at whatever interval you find reasonable.

0 Karma

kdulhan
Explorer

I have saved the search as a scheduled search to run at 8:00 everyday. And selected the Time range as Yesterday. Kindly let me know if this will pick all the events for Yesterday starting at 00:00:00 and ending at 24:00:00. If not, please let me know a way to have the time range for the reporting events to be yesterday starting at 00:00:00 and ending at 24:00:00.

So if it runs on 20/09 at 8:00, it should have the events from 19/09 00:00:00 to 19/09 24:00:00. And next time it runs on 21/09 at 8:00, it should have the events from 20/09 00:00:00 to 20/09 24:00:00.

Thanks.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Yup, "yesterday" is equal to earliest=-1d@d latest=@d and covers prior day midnight to midnight of the previous day.

0 Karma

kdulhan
Explorer

Thanks.

I have two reports sending results as an Inline table in the email. That means I am getting two emails with inline table results generated from two reports. Can I consolidate the results into a single email with two inline tables.

0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...