Splunk Search

automated query results from run to run

Path Finder

I'm creating a query that runs every day at 03:00 I need to use the field "INSERT_DATE" as my time entry. Its currently formatted like this 2019-08-12 00:10:33.0, I need to find a way to get all of the previous dates in and all dates going forward with out duplicating any data.

0 Karma


@codedtech for the community to assist you better, you need to add way more details than this. You need to explain with sample data that you have and Splunk query you are using right now. Where exactly is the issue? What do you mean by get all of the previous dates in and all dates going forward?

| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

I'm Using DBX to query a database that is updated every day at 00:10:00 and add these results to my index. due to logistical issues, I can not use DBX to do this automatically. I was told to use the collect command to do this or manipulate the DB.

This is the base query:
dbxquery query=myQUery |eval Used_GB= VDC_TOTAL_CAP_GB-VDC_FREE_CAP_GB|eval Pool_Perc = Used_GB/VDC_TOTAL_CAP_GB|eval _time=strptime(INSERT_DATE, "%Y-%m-%d %H:%M:%S")|bin span=1d _time

I need to find a way to only new events that occur between 00:00:00, and 03:00 (of today)into my index, with out adding duplicates of entries from the previous run(Yesterday), and being dynamic enough so that I never need to manually run the query.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...