Splunk Search

Triggered alerts query - Need help with date

jason2
Loves-to-Learn

Putting together a query that shows, on an individual alert level, the number of times the alert fired in a day and the average we were expecting.  Below is the query as it stands now, but I am looking for a way to only show records from today/yesterday, instead of for the past 30 days.  

Any help would be appreciated

index=_audit action="alert_fired" earliest=-30d latest=now 
| eval date=strftime(_time, "%Y-%m-%d")
| stats count AS actual_triggered_alerts by ss_name date
| eventstats avg(actual_triggered_alerts) AS average_triggered_alerts by ss_name
| eval average_triggered_alerts = round(average_triggered_alerts,0)
| eval comparison = case(
actual_triggered_alerts = average_triggered_alerts, "Average",
actual_triggered_alerts > average_triggered_alerts, "Above Average",
actual_triggered_alerts < average_triggered_alerts, "Below Average")
| search comparison!="Average"
| table date ss_name actual_triggered_alerts average_triggered_alerts
| rename date as "Date", ss_name as "Alert Name", actual_triggered_alerts as "Actual Triggered Alerts", average_triggered_alerts as "Average Triggered Alerts"
Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

You explicitly search for earliest=-30d so you're getting results from last 30 days.

0 Karma

jason2
Loves-to-Learn

The earliest=-30d is there so I can get an average count for each the count for each triggered alert over the past 30 days.  My question is how can I limit those results so I only see records from yesterday, not the other 29 days

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Just filter with

| where _time>=now()-86400

(Or whatever time limit you need) before you remove the _time field with the table command.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...