Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Scheduled Query - change query content
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Background
I have created a query that will allow me to view all tickets created within one month. As some of the 'resolved' events occur after the month has ended I cannot use | stats count by date_month.
Query
The following query will allow me to view all tickets created in the month of September:
index="cyber" sourcetype=response queue = "Incident" status ="resolved" Dates_Created >= 2015-09-01 00:00:00 AND Dates_Created < 2015-10-01 00:00:00 | dedup ticket |stats count AS Sept
Problem
I am going to use this above query as a scheduled query for each month - however I wish for the Dates_Created to change on a monthly basis i.e I wish 2015-09-01 to change to 2015-10-01 and 2015-10-01 to change to 2015-11-01 and I'm not sure how to do this, any help will be greatly appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the now() time and eval to create the timestamps for your query - if you know when the search runs.
If you are running the query in the following month you can use the following search command:
index="cyber" sourcetype=response queue = "Incident" status ="resolved"
| eval startstamp=strftime(relative_time(now(),"-mon@mon"),"%Y-%m-%d %H:%M:%S"), endstamp=strftime(relative_time(now(),"@mon"),"%Y-%m-%d %H:%M:%S")
| where Dates_Created >= startstamp AND Dates_Created < endstamp
| dedup ticket
| stats count AS Sept`
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the now() time and eval to create the timestamps for your query - if you know when the search runs.
If you are running the query in the following month you can use the following search command:
index="cyber" sourcetype=response queue = "Incident" status ="resolved"
| eval startstamp=strftime(relative_time(now(),"-mon@mon"),"%Y-%m-%d %H:%M:%S"), endstamp=strftime(relative_time(now(),"@mon"),"%Y-%m-%d %H:%M:%S")
| where Dates_Created >= startstamp AND Dates_Created < endstamp
| dedup ticket
| stats count AS Sept`
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
