Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I restrict Splunk to search only for first day of every month for last 6 months?

rk1165
Loves-to-Learn Lots
‎07-04-2022 10:16 PM
 
Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-04-2022 10:46 PM

There are at least three different approaches. Each has its drawbacks.

One is that you search for date_mday=1. The downside to this method is that the field may not be set for all events and if there were any time (especially timezone) conversions applied to the events during indexing process this field might not be accurate (you might get events from late hours of day before or early hours of next day).

Another idea is that you eval with strftime to auxiliary field rendering only day of the month and then limit your results to those that have value of 1. Unfortunately - for this you have to process all your events for whole 6 months only to return some 1/30th of them. It's very inefficient and not feasible for large data sets.

And final possibility would be to either directly specify (earliest=x latest=y) OR (earliest=x latest=aa) [...] set of conditions (relatively ok for 6 periods) or use subsearch to generate them.

 

0 Karma
Reply

rk1165
Loves-to-Learn Lots
‎07-04-2022 10:50 PM

I am using the third option but for that also query times out for only 2 periods. I am not sure why though because effectively we are only searching for 6 days. If I search for the same event for last 7-8 days it works fine.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-04-2022 10:53 PM

Are you sure you're grouping the earliest/latest conditions properly?

0 Karma
Reply

rk1165
Loves-to-Learn Lots
‎07-04-2022 10:54 PM

This is how I am grouping

(earliest=05/01/2022:00:00:00 latest=05/01/2022:23:59:59) OR (earliest=06/01/2022:00:00:00 latest=06/01/2022:23:59:59)

Please let me know if this is fine.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-04-2022 11:02 PM

Looks OK but I don't trust the time specifiers and I'd try something like

(earliest=@mon latest=@mon+1d) OR (earliest=-1mon@mon latest=-1mon@mon+1d)

 

0 Karma
Reply

rk1165
Loves-to-Learn Lots
‎07-04-2022 11:12 PM

I first tried that way only but it ended up giving some results from a day before also. So, I tried fixing the exact dates to no avail.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-05-2022 02:02 AM

Question is what do you mean by "from a day before". I mean - do you mean _time values or the raw values within an event.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...