Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Setting up query running time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having a dashboard which comprises of several panels. It serves the monitoring of set of jobs.
Jobs cycle started at every day 7 AM and completes around next day 5 AM. Say Example 07/18/2017 7AM to 07/19/2017 5AM. So i want to set the earliest time at 7 am at any point time throughout the cycle.
I may run the dashboard at 07/18/2017 8AM 8.30AM 9AM and so on. It may continue till 07/19/2017 02AM, 02.30AM 3AM 3.30AM, 4.30AM and so on.
So whenever i am running my dashboard it should from 7AM whether on the same day or next day.
Please advice the feasibility on the same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The below query serving my need.
your base search
[| makeresults
| eval earliest=if(now()<=relative_time(now(),"@d+5h"),"-1d@d+7h","@d+7h")
| eval latest="now" | table earliest latest ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The below query serving my need.
your base search
[| makeresults
| eval earliest=if(now()<=relative_time(now(),"@d+5h"),"-1d@d+7h","@d+7h")
| eval latest="now" | table earliest latest ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maybe add this to all your searches?
earliest=@d+7h
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This won't working when we cross the midnight
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use a subsearch, something like this:
index=YouShoulAlwaysSpecifyAnIndex sourcetype=AndAlsoAlwaysSpecifySourcetype [| makeresults
| eval now=now()
| eval earliest=relative_time(now, "@d+1d+7h")
| eval earliest=if((earliest<now), earliest, relative_time(now, "@d+7h"))
| eval search = "earliest=" . earliest
| table search]
You might have to fix the logic for "today's 7AM" vs "tomorrow's 7AM" but this will programatically set the start time of the search based on what time it is "now" (when the search is run).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@woodcock, Great! it is working fine. Thank you very much!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@woodcock,
Getting the below error, when it is crossing the midnight
Error in 'litsearch' command: Unable to parse the search: Invalid time bounds in search: start=1514379600 > end=1514357190.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
