I have this search that I want to be able to run every day between the hours of 00:00:00:000 and 23:55:00:000.
I looked at all of the time modifiers for searches and I can't find one that would fit this.
Any ideas? All I have for it for now is this (until I can figure this out)
sourcetype="Cron_SendNotificationEmail" source="*asia*" daysago=1 | rex field=_raw "send_to_email ?\[(?P<send_to_email>\S+)\]" max_match=100 | search send_to_email="*" | stats count(send_to_email)
This search would eventually be put into a dashboard. How would I have it search only between those hours every day? Is this something that would have to be "scheduled"
If I'm following, I think you should be able to get what you want by adding earliest=-1d@d latest=-5m@d to get all the entries from yesterday during those hours. @d refers to the start of the current day, so you can say 1 day before the start of today until 5 minutes before the start of today.
That would be:
sourcetype="Cron_SendNotificationEmail" source="*asia*" earliest=-1d@d latest=-5m@d | rex field=_raw "send_to_email ?\[(?P<send_to_email>\S+)\]" max_match=100 | search send_to_email="*" | stats count(send_to_email)
FYI: I believe daysago is deprecated now. The new method is at: http://www.splunk.com/base/Documentation/latest/User/ChangeTheTimeRangeOfYourSearch
well i'd like the search to run and bring back the results for every day between the hours of 00:00 and 23:55. this search will be on a dashboard so hmmm...now i'm wondering if it should be a scheduled search that runs at say 00:05 to get the results or something. I'll mess around with these values
I'd say what you might be looking for, then, is a summary index. That will let you run a search at 12:00 over the previous day, and toss whatever the result is in a separate index. Then, on the dashboard, you only need to pull up that one (or those few) results from the summary index, rather than parsing through the hundreds, thousands, or millions of results. This video gives you some of the theory of summary indexing: http://www.splunk.com/view/SP-CAAACZW . You can search the index to make a timechart of your count over the course of multiple days, which sounds like what you're after.
... earliest=-1d@d latest=-1d@d+23h+55m
assuming you run it after midnight to run for the previous day. If you run it at (e.g.) 23:57:00 for the current day, you just instead do:
... earliest=@d latest=@d+23h+55m
Or, if running over multiple days (or not recent days), you would do:
(date_hour < 23) OR (date_hour=23 AND date_minute < 55) OR (date_hour=23 AND date_minute=55 AND date_second=0)
NOT (date_hour >= 23 AND date_minute >= 55)
What if i want to run the same search but have it go back 7 days and display results from 00:00 to 11:55 on each day for 7 days in a chart? That's kind of what I'm working on now.
I'd want it go back 7 days and on each day run the search from 00:00 to 23:55 and return the results. sorry had a typo in my last post btw!