Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you set date_mday for yesterday?

dorgra
Path Finder
‎01-31-2019 01:40 PM

If I run the following search, adjust the time picker to the last 7 days, AND the 28th falls within the time picker dates, I get the days counts regardless of what my settings show for my time zone.

index=my_index date_mday=28 | stats count as count

However, I need to schedule this for yesterday, late in the morning, in order to catch any lagging events from the host. I want to use 

index=my_index date_mday=now()-1%d| status count as count

I can't find an eval command, or any other way, to pass yesterday's %d value to this search.

Any suggestions? I really need to use the date_mday value for audit purposes.

0 Karma
Reply

dorgra
Path Finder
‎01-31-2019 07:14 PM

Your answer gives different results depending on the user settings for timezone. Think I mentioned that. Thanks for the answer, but it gives different results and therefore doesn't work for an audit requirement. It took me a while longer than expected, but the correct answer is:

index=tse001
| eval yest=strftime(relative_time(time(), "-d"), "%d")
| where date_mday=yest
| stats count as count

If anyone can point out an error in my search, please feel free to post. It is critical to the audit requirement that I get all events sent from the host on that particular day, considering possible lag in indexing and that the search may run from a different timezone.

0 Karma
Reply

woodcock
Esteemed Legend
‎01-31-2019 03:23 PM

Why is this not good enough (it has the added benefit to work for those events which do not have the date_* fields, which are unreliable anyway)?

index=my_index earliest=-1d@d latest=@d | stats count

In any case, you can do this (which is silly):

index=my_index [|makeresults | eval date_mday=strftime(relative_time(now(), "-1d"), "%d")] | stats count
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...