Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do i create new field with last day of reporting period to my search?

iamsplunker
Communicator
‎07-24-2020 01:03 PM

I have a report which runs every week on Monday , I'm using earliest and latest time in my search .  Now I wanted to add a new field to my search called lastdate say if a report period is between 07/01 to 07/07 the lastdate field should display 07/07 and For my monthly report how do I create new field called MonthEnd and this  should displays the values as June 30 for month ending date, Please help

 

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-24-2020 01:24 PM

Hi

add to your stats

 

| stats .... latest(_time) as lastDay range(_time) AS dateRange ....
| eval lastDayOfMonth = strftime (lastDay, "%B %d"),
       lastDay = strftime (lastDay, "%d/%m"),
       reportPeriod = if (dateRange > 604800, "Monthly", "Weekly") ....

 

and then use those fields lastDay and lastDayOfMonth.

r. Ismo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-24-2020 01:24 PM

Hi

add to your stats

 

| stats .... latest(_time) as lastDay range(_time) AS dateRange ....
| eval lastDayOfMonth = strftime (lastDay, "%B %d"),
       lastDay = strftime (lastDay, "%d/%m"),
       reportPeriod = if (dateRange > 604800, "Monthly", "Weekly") ....

 

and then use those fields lastDay and lastDayOfMonth.

r. Ismo

0 Karma
Reply
Solved! Jump to solution

iamsplunker
Communicator
‎07-27-2020 07:58 AM

Thanks Sautamo the lastday field works just fine. But I also want to add a field called Report Period the value should represent the Week/Month depending on the granularity of the report. 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-27-2020 08:26 AM

Hi

I updated my previous answer by adding reportPeriod.

r. Ismo

0 Karma
Reply
Solved! Jump to solution

iamsplunker
Communicator
‎07-27-2020 11:04 AM

Thanks soutamo. I accepted your answer. I hope this is the last comment in this thread. Can you please explain about  the value you've mentioned  604800 . For both date ranges 6/1 -6/7 and 6/1-6/30 it is showing the Granularity as Weekly. for 6/1-6/30 it should show as Monthly. Thanks for all your help

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-27-2020 11:43 AM

It is seven days in seconds. Current stats needs that there are events (_time) for start and end date/time. Of course you could use those from your given start and end dates where this would works even there haven’t been any events. 
r. Ismo

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-24-2020 01:24 PM 
earliest="07/01/2020:00:00:00" latest="07/07/2020:23:59:59" index=_internal | head 1
| addinfo
| eval lastdate=strftime(info_max_time,"%F")
| eval MonthEnd=strftime(relative_time(info_min_time,"@month-1d"),"%F")
| table lastdate MonthEnd
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top