can you please tell us, how to get the last 24 hours event count to schedule the report?
If you want count of all events in the last 24 hours you could try this:
* earliest=-24h latest=now | stats count (searches the default index only)
If you want the event count for specific search try this:
[your splunk search] earliest=-24h latest=now| stats count
If you want count of all events in the last 24 hours you could try this:
* earliest=-24h latest=now | stats count (searches the default index only)
If you want the event count for specific search try this:
[your splunk search] earliest=-24h latest=now| stats count
Hello, I tried using the 'earliest' option and I'm getting this error
<search>
<query>index="mulertf" "$form.env$-glot-product-sapi-v1" AND "Before updating data for GCPN:" |earliest=-24h latest=now | stats count</query>
</search>