Splunk Search

How do you set date_mday for yesterday?

dorgra
Path Finder

If I run the following search, adjust the time picker to the last 7 days, AND the 28th falls within the time picker dates, I get the days counts regardless of what my settings show for my time zone.

index=my_index date_mday=28 | stats count as count 

However, I need to schedule this for yesterday, late in the morning, in order to catch any lagging events from the host. I want to use

index=my_index date_mday=now()-1%d| status count as count 

I can't find an eval command, or any other way, to pass yesterday's %d value to this search.

Any suggestions? I really need to use the date_mday value for audit purposes.

0 Karma

dorgra
Path Finder

Your answer gives different results depending on the user settings for timezone. Think I mentioned that. Thanks for the answer, but it gives different results and therefore doesn't work for an audit requirement. It took me a while longer than expected, but the correct answer is:

index=tse001
| eval yest=strftime(relative_time(time(), "-d"), "%d")
| where date_mday=yest
| stats count as count

If anyone can point out an error in my search, please feel free to post. It is critical to the audit requirement that I get all events sent from the host on that particular day, considering possible lag in indexing and that the search may run from a different timezone.

0 Karma

woodcock
Esteemed Legend

Why is this not good enough (it has the added benefit to work for those events which do not have the date_* fields, which are unreliable anyway)?

index=my_index earliest=-1d@d latest=@d | stats count

In any case, you can do this (which is silly):

index=my_index [|makeresults | eval date_mday=strftime(relative_time(now(), "-1d"), "%d")] | stats count
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...