Splunk Search

How do you set date_mday for yesterday?

Path Finder

If I run the following search, adjust the time picker to the last 7 days, AND the 28th falls within the time picker dates, I get the days counts regardless of what my settings show for my time zone.

index=my_index date_mday=28 | stats count as count 

However, I need to schedule this for yesterday, late in the morning, in order to catch any lagging events from the host. I want to use

index=my_index date_mday=now()-1%d| status count as count 

I can't find an eval command, or any other way, to pass yesterday's %d value to this search.

Any suggestions? I really need to use the date_mday value for audit purposes.

0 Karma

Path Finder

Your answer gives different results depending on the user settings for timezone. Think I mentioned that. Thanks for the answer, but it gives different results and therefore doesn't work for an audit requirement. It took me a while longer than expected, but the correct answer is:

| eval yest=strftime(relative_time(time(), "-d"), "%d")
| where date_mday=yest
| stats count as count

If anyone can point out an error in my search, please feel free to post. It is critical to the audit requirement that I get all events sent from the host on that particular day, considering possible lag in indexing and that the search may run from a different timezone.

0 Karma

Esteemed Legend

Why is this not good enough (it has the added benefit to work for those events which do not have the date_* fields, which are unreliable anyway)?

index=my_index earliest=-1d@d latest=@d | stats count

In any case, you can do this (which is silly):

index=my_index [|makeresults | eval date_mday=strftime(relative_time(now(), "-1d"), "%d")] | stats count
0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...