I have a SPLUNK search query which I run on a daily basis for the past day by selecting Date Range Between 09/18/2017 00:00:00 and 09/18/2017 24:00:00 i.e. for one complete day.
I get some tabular statistics providing a summary of total records, failed and passed records for that day.
Now if I want to automate this to run for everyday to get the summary results for previous day and display it on dashboard.
After getting the summary view in tabular format using the Date range selected, I Save it as Dashboard Panel, Panel powered by Inline Search.
And then I go to View Dashboard.
Click on Edit > Edit Search (Mirror Icon) > Select Time Range as 'Use Time Picker' -> Auto Refresh Delay and click on Custom to put 24h. And then Save it.
Please let me know if it will refresh the Dashboard panel exactly after 24hours considering the Date Range provided i.e. Between 09/18/2017 00:00:00 and 09/18/2017 24:00:00. So next refresh will give me data for Date Range Between 09/19/2017 00:00:00 and 09/19/2017 24:00:00. And I need the refresh to happen on 09/20/2017 at 2:00 AM.
Create your search as a scheduled saved search to run once a day, then use the saved search in your dashboard instead of an inline search. That way your search only runs once per day, instead of every time someone loads the dashboard.
Saved search results are retained for 2*n, where n is your search timeframe. So, in your case, results will be available for 2 days (unless refreshed by another execution of the search).
You can then decide to refresh your dashboard panel at whatever interval you find reasonable.
I have saved the search as a scheduled search to run at 8:00 everyday. And selected the Time range as Yesterday. Kindly let me know if this will pick all the events for Yesterday starting at 00:00:00 and ending at 24:00:00. If not, please let me know a way to have the time range for the reporting events to be yesterday starting at 00:00:00 and ending at 24:00:00.
So if it runs on 20/09 at 8:00, it should have the events from 19/09 00:00:00 to 19/09 24:00:00. And next time it runs on 21/09 at 8:00, it should have the events from 20/09 00:00:00 to 20/09 24:00:00.
Yup, "yesterday" is equal to
earliest=-1d@d latest=@d and covers prior day midnight to midnight of the previous day.
I have two reports sending results as an Inline table in the email. That means I am getting two emails with inline table results generated from two reports. Can I consolidate the results into a single email with two inline tables.