Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do i create new field with last day of reporting period to my search?

iamsplunker
Communicator
‎07-24-2020 01:03 PM

I have a report which runs every week on Monday , I'm using earliest and latest time in my search .  Now I wanted to add a new field to my search called lastdate say if a report period is between 07/01 to 07/07 the lastdate field should display 07/07 and For my monthly report how do I create new field called MonthEnd and this  should displays the values as June 30 for month ending date, Please help

 

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-24-2020 01:24 PM

Hi

add to your stats

 

| stats .... latest(_time) as lastDay range(_time) AS dateRange ....
| eval lastDayOfMonth = strftime (lastDay, "%B %d"),
       lastDay = strftime (lastDay, "%d/%m"),
       reportPeriod = if (dateRange > 604800, "Monthly", "Weekly") ....

 

and then use those fields lastDay and lastDayOfMonth.

r. Ismo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-24-2020 01:24 PM

Hi

add to your stats

 

| stats .... latest(_time) as lastDay range(_time) AS dateRange ....
| eval lastDayOfMonth = strftime (lastDay, "%B %d"),
       lastDay = strftime (lastDay, "%d/%m"),
       reportPeriod = if (dateRange > 604800, "Monthly", "Weekly") ....

 

and then use those fields lastDay and lastDayOfMonth.

r. Ismo

0 Karma
Reply
Solved! Jump to solution

iamsplunker
Communicator
‎07-27-2020 07:58 AM

Thanks Sautamo the lastday field works just fine. But I also want to add a field called Report Period the value should represent the Week/Month depending on the granularity of the report. 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-27-2020 08:26 AM

Hi

I updated my previous answer by adding reportPeriod.

r. Ismo

0 Karma
Reply
Solved! Jump to solution

iamsplunker
Communicator
‎07-27-2020 11:04 AM

Thanks soutamo. I accepted your answer. I hope this is the last comment in this thread. Can you please explain about  the value you've mentioned  604800 . For both date ranges 6/1 -6/7 and 6/1-6/30 it is showing the Granularity as Weekly. for 6/1-6/30 it should show as Monthly. Thanks for all your help

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-27-2020 11:43 AM

It is seven days in seconds. Current stats needs that there are events (_time) for start and end date/time. Of course you could use those from your given start and end dates where this would works even there haven’t been any events. 
r. Ismo

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-24-2020 01:24 PM 
earliest="07/01/2020:00:00:00" latest="07/07/2020:23:59:59" index=_internal | head 1
| addinfo
| eval lastdate=strftime(info_max_time,"%F")
| eval MonthEnd=strftime(relative_time(info_min_time,"@month-1d"),"%F")
| table lastdate MonthEnd
0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...