Splunk Search

automated query results from run to run

Path Finder

I'm creating a query that runs every day at 03:00 I need to use the field "INSERT_DATE" as my time entry. Its currently formatted like this 2019-08-12 00:10:33.0, I need to find a way to get all of the previous dates in and all dates going forward with out duplicating any data.

0 Karma


@codedtech for the community to assist you better, you need to add way more details than this. You need to explain with sample data that you have and Splunk query you are using right now. Where exactly is the issue? What do you mean by get all of the previous dates in and all dates going forward?

| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

I'm Using DBX to query a database that is updated every day at 00:10:00 and add these results to my index. due to logistical issues, I can not use DBX to do this automatically. I was told to use the collect command to do this or manipulate the DB.

This is the base query:
dbxquery query=myQUery |eval Used_GB= VDC_TOTAL_CAP_GB-VDC_FREE_CAP_GB|eval Pool_Perc = Used_GB/VDC_TOTAL_CAP_GB|eval _time=strptime(INSERT_DATE, "%Y-%m-%d %H:%M:%S")|bin span=1d _time

I need to find a way to only new events that occur between 00:00:00, and 03:00 (of today)into my index, with out adding duplicates of entries from the previous run(Yesterday), and being dynamic enough so that I never need to manually run the query.

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...