Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do i create new field with last day of reporting period to my search?

iamsplunker
Communicator
‎07-24-2020 01:03 PM

I have a report which runs every week on Monday , I'm using earliest and latest time in my search .  Now I wanted to add a new field to my search called lastdate say if a report period is between 07/01 to 07/07 the lastdate field should display 07/07 and For my monthly report how do I create new field called MonthEnd and this  should displays the values as June 30 for month ending date, Please help

 

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-24-2020 01:24 PM

Hi

add to your stats

 

| stats .... latest(_time) as lastDay range(_time) AS dateRange ....
| eval lastDayOfMonth = strftime (lastDay, "%B %d"),
       lastDay = strftime (lastDay, "%d/%m"),
       reportPeriod = if (dateRange > 604800, "Monthly", "Weekly") ....

 

and then use those fields lastDay and lastDayOfMonth.

r. Ismo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-24-2020 01:24 PM

Hi

add to your stats

 

| stats .... latest(_time) as lastDay range(_time) AS dateRange ....
| eval lastDayOfMonth = strftime (lastDay, "%B %d"),
       lastDay = strftime (lastDay, "%d/%m"),
       reportPeriod = if (dateRange > 604800, "Monthly", "Weekly") ....

 

and then use those fields lastDay and lastDayOfMonth.

r. Ismo

0 Karma
Reply
Solved! Jump to solution

iamsplunker
Communicator
‎07-27-2020 07:58 AM

Thanks Sautamo the lastday field works just fine. But I also want to add a field called Report Period the value should represent the Week/Month depending on the granularity of the report. 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-27-2020 08:26 AM

Hi

I updated my previous answer by adding reportPeriod.

r. Ismo

0 Karma
Reply
Solved! Jump to solution

iamsplunker
Communicator
‎07-27-2020 11:04 AM

Thanks soutamo. I accepted your answer. I hope this is the last comment in this thread. Can you please explain about  the value you've mentioned  604800 . For both date ranges 6/1 -6/7 and 6/1-6/30 it is showing the Granularity as Weekly. for 6/1-6/30 it should show as Monthly. Thanks for all your help

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-27-2020 11:43 AM

It is seven days in seconds. Current stats needs that there are events (_time) for start and end date/time. Of course you could use those from your given start and end dates where this would works even there haven’t been any events. 
r. Ismo

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-24-2020 01:24 PM 
earliest="07/01/2020:00:00:00" latest="07/07/2020:23:59:59" index=_internal | head 1
| addinfo
| eval lastdate=strftime(info_max_time,"%F")
| eval MonthEnd=strftime(relative_time(info_min_time,"@month-1d"),"%F")
| table lastdate MonthEnd
0 Karma
Reply
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...