Reporting

search every day at specific times

gnovak
Builder

I have this search that I want to be able to run every day between the hours of 00:00:00:000 and 23:55:00:000.

I looked at all of the time modifiers for searches and I can't find one that would fit this.

Any ideas? All I have for it for now is this (until I can figure this out)

sourcetype="Cron_SendNotificationEmail" source="*asia*" daysago=1 | rex field=_raw "send_to_email ?\[(?P<send_to_email>\S+)\]" max_match=100 | search send_to_email="*" | stats count(send_to_email)

This search would eventually be put into a dashboard. How would I have it search only between those hours every day? Is this something that would have to be "scheduled"

Tags (1)
0 Karma
1 Solution

David
Splunk Employee
Splunk Employee

If I'm following, I think you should be able to get what you want by adding earliest=-1d@d latest=-5m@d to get all the entries from yesterday during those hours. @d refers to the start of the current day, so you can say 1 day before the start of today until 5 minutes before the start of today.

That would be:

sourcetype="Cron_SendNotificationEmail" source="*asia*" earliest=-1d@d latest=-5m@d | rex field=_raw "send_to_email ?\[(?P<send_to_email>\S+)\]" max_match=100 | search send_to_email="*" | stats count(send_to_email)

FYI: I believe daysago is deprecated now. The new method is at: http://www.splunk.com/base/Documentation/latest/User/ChangeTheTimeRangeOfYourSearch

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee
... earliest=-1d@d latest=-1d@d+23h+55m

assuming you run it after midnight to run for the previous day. If you run it at (e.g.) 23:57:00 for the current day, you just instead do:

... earliest=@d latest=@d+23h+55m

Or, if running over multiple days (or not recent days), you would do:

(date_hour < 23) OR (date_hour=23 AND date_minute < 55) OR (date_hour=23 AND date_minute=55 AND date_second=0)

or, shorter:

NOT (date_hour >= 23 AND date_minute >= 55)

gkanapathy
Splunk Employee
Splunk Employee

that would just be one of the last two suggestions, run over the past 7 days.

0 Karma

gnovak
Builder

I'll make a new question for this. 🙂

0 Karma

gnovak
Builder

I'd want it go back 7 days and on each day run the search from 00:00 to 23:55 and return the results. sorry had a typo in my last post btw!

0 Karma

gnovak
Builder

What if i want to run the same search but have it go back 7 days and display results from 00:00 to 11:55 on each day for 7 days in a chart? That's kind of what I'm working on now.

0 Karma

David
Splunk Employee
Splunk Employee

If I'm following, I think you should be able to get what you want by adding earliest=-1d@d latest=-5m@d to get all the entries from yesterday during those hours. @d refers to the start of the current day, so you can say 1 day before the start of today until 5 minutes before the start of today.

That would be:

sourcetype="Cron_SendNotificationEmail" source="*asia*" earliest=-1d@d latest=-5m@d | rex field=_raw "send_to_email ?\[(?P<send_to_email>\S+)\]" max_match=100 | search send_to_email="*" | stats count(send_to_email)

FYI: I believe daysago is deprecated now. The new method is at: http://www.splunk.com/base/Documentation/latest/User/ChangeTheTimeRangeOfYourSearch

David
Splunk Employee
Splunk Employee
0 Karma

David
Splunk Employee
Splunk Employee

I'd say what you might be looking for, then, is a summary index. That will let you run a search at 12:00 over the previous day, and toss whatever the result is in a separate index. Then, on the dashboard, you only need to pull up that one (or those few) results from the summary index, rather than parsing through the hundreds, thousands, or millions of results. This video gives you some of the theory of summary indexing: http://www.splunk.com/view/SP-CAAACZW . You can search the index to make a timechart of your count over the course of multiple days, which sounds like what you're after.

0 Karma

gnovak
Builder

well i'd like the search to run and bring back the results for every day between the hours of 00:00 and 23:55. this search will be on a dashboard so hmmm...now i'm wondering if it should be a scheduled search that runs at say 00:05 to get the results or something. I'll mess around with these values

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...