I'm hoping someone can help me, we have some reporting setup that queries a database once a day after the query and the database is populated the charts are fine but before that time they all report today as 0/null.
Is it possible to not report anything for today until an event happens? So just have yesterdays event and nothing for today.
Assuming that I understood your question, and that the data is presented in a dashboard, you should schedule the search that creates the chart in the dashboard. If you set the schedule to run the search once a day, the dashboard should show the latest cached search results, instead of running the search when loading the dashboard.
The trick is to schedule the search to run just after the data is available for searching/reporting.
Yes. You can do that. Or not. It all depends on the data you have coming in. If you could edit your original question for clarity, and perhaps describe the nature of the data coming in, and what you want out of it.
Perhaps this can help you;
or try a subsearch approach (where
your_base_search would be something like
your_base_search earliest=-2w [search your_base_search | head 1 | fields + date_mday ] | the rest of your search
In this case the subsearch will take the first occurrence it finds (head 1) and return the day of the month to the outer search, where it will be added as a search criteria. See:
To schedule a search: goto Manager -> Searches, click on your search. check the box which says 'schedule this search'. enter a schedule (basic or cron). save.
Ok is there not a way to tell Splunk to only show data for a particular day when an event happens? For example if my event is at 4pm today it would still show yesterdays data up until the end of the chart until the event? Also, how do you schedule a search?