Splunk Search

Search that combines last 7 days and year-to-date

jhackle13
New Member

My current search below pulls findings for current day and year-to-date starting 2/1/2021.  I need help with a way to pull for the previous business week and year-to-date starting 2/1/2021.  What adjustments can i make to the search below that will pull that?

index=overwatch-summary overwatch-vuln-type="*"
| where _time>strptime("2021/02/01 00:00:00","%Y/%m/%d %H:%M:%S")
| eval _time=if(_time < now()-86400, now()-86400, now())
| rex field=resource_id "subscriptions/(?<subscriptionId>[0-9a-fA-F\-]+)"
| lookup subscription_managed.csv subscriptionId OUTPUT managed
| fillnull value="Unmanaged" managed
| search managed=Unmanaged
| fillnull value="" blob_name
| eval unique_id=if(isnotnull(unique_id),unique_id,sha256('overwatch-vuln-type' . "_" . resource_id . "_" . issue . blob_name))| chart dc(unique_id) as count over _time| bin _time span=1d
| append
[ stats c
| eval _time=now()
| eval count=0
| bin _time span=1d
| fields _time count ]
| stats sum(count) as count by _time

Labels (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Previous business week you can get with "snap to" on the relative_time command, so this will calculate the start and end range of week starting on Monday and ending Sunday

| eval start_week=relative_time(now(), "-w@w1"), end_week=start_week+(86400 * 7)

 Note that your use of 

| where _time>strptime("2021/02/01 00:00:00","%Y/%m/%d %H:%M:%S")

seems unnecessary, as you can either set that date range from your search time window or just as

earliest="02/01/2021 00:00:00"

on the search line.

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...