Splunk Search

How do you set date_mday for yesterday?

Path Finder

If I run the following search, adjust the time picker to the last 7 days, AND the 28th falls within the time picker dates, I get the days counts regardless of what my settings show for my time zone.

index=my_index date_mday=28 | stats count as count 

However, I need to schedule this for yesterday, late in the morning, in order to catch any lagging events from the host. I want to use

index=my_index date_mday=now()-1%d| status count as count 

I can't find an eval command, or any other way, to pass yesterday's %d value to this search.

Any suggestions? I really need to use the date_mday value for audit purposes.

0 Karma

Path Finder

Your answer gives different results depending on the user settings for timezone. Think I mentioned that. Thanks for the answer, but it gives different results and therefore doesn't work for an audit requirement. It took me a while longer than expected, but the correct answer is:

| eval yest=strftime(relative_time(time(), "-d"), "%d")
| where date_mday=yest
| stats count as count

If anyone can point out an error in my search, please feel free to post. It is critical to the audit requirement that I get all events sent from the host on that particular day, considering possible lag in indexing and that the search may run from a different timezone.

0 Karma

Esteemed Legend

Why is this not good enough (it has the added benefit to work for those events which do not have the date_* fields, which are unreliable anyway)?

index=my_index earliest=-1d@d latest=@d | stats count

In any case, you can do this (which is silly):

index=my_index [|makeresults | eval date_mday=strftime(relative_time(now(), "-1d"), "%d")] | stats count
0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...