Splunk Search

How do you set date_mday for yesterday?

Path Finder

If I run the following search, adjust the time picker to the last 7 days, AND the 28th falls within the time picker dates, I get the days counts regardless of what my settings show for my time zone.

index=my_index date_mday=28 | stats count as count 

However, I need to schedule this for yesterday, late in the morning, in order to catch any lagging events from the host. I want to use

index=my_index date_mday=now()-1%d| status count as count 

I can't find an eval command, or any other way, to pass yesterday's %d value to this search.

Any suggestions? I really need to use the date_mday value for audit purposes.

0 Karma

Path Finder

Your answer gives different results depending on the user settings for timezone. Think I mentioned that. Thanks for the answer, but it gives different results and therefore doesn't work for an audit requirement. It took me a while longer than expected, but the correct answer is:

index=tse001
| eval yest=strftime(relativetime(time(), "-d"), "%d")
| where date
mday=yest
| stats count as count

If anyone can point out an error in my search, please feel free to post. It is critical to the audit requirement that I get all events sent from the host on that particular day, considering possible lag in indexing and that the search may run from a different timezone.

0 Karma

Esteemed Legend

Why is this not good enough (it has the added benefit to work for those events which do not have the date_* fields, which are unreliable anyway)?

index=my_index earliest=-1d@d latest=@d | stats count

In any case, you can do this (which is silly):

index=my_index [|makeresults | eval date_mday=strftime(relative_time(now(), "-1d"), "%d")] | stats count
0 Karma