Splunk Search

Dashboard Update Monthly Scans

DBattisto
Communicator

Hello, I created a series of dashboards that will automatically update when data from a monthly scan is ingested. In this scenario, I have a scan that runs on the 18th of every month and automatically gets sent to Splunk shortly after the scan concludes. In this case, the scan typically finishes between 0330 and 0500. I have the "Advanced" time range configured as follows:

@mon17+3h - @mon17+6h

The issue I'm running into is that by the time the first of the month rolls around, all information on that dashboard resets because it now views the '@mon' as the current month, and there is obviously no data for 18 days into the future.

Is there a better way to configure my search ranges that someone could suggest? I appreciate any and all assistance. Thank you!

Tags (2)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

I think I copied it wrong in my previous comments. The correct values are earliest: +11d-1mon@mon+16d+3h and latest=: +11d-1mon@mon+16d+6h. See this runanywhere sample to see how the time range changes with current date.

| gentimes start=-50 | eval current=starttime   | table current| eval earliest=relative_time(current,"+11d-1mon@mon+16d+3h") | eval latest=relative_time(current,"+11d-1mon@mon+16d+6h") | convert ctime(*) as *_human
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try for your time range

earliest: +11d-1mon@mon+17+3h
latest=: +11d-1mon@mon+17+6h

0 Karma

DBattisto
Communicator

This did not resolve my issue. It only set the time back to last month. Thank you for the suggestion though.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...