Splunk Search

return: eval filename=strftime(now(), with yesterdays count (as fileinformation)

knitz
Explorer

hello,

looking for some help.

I am running a search, daily.... but the logs in the source get updated late by the application (the app updates the source/log-file next day with values related to previous day) , so I want to run my search next day and return the result into an outputlookup.csv incl. the day-count of previous day.

in example: if my search runs daily ... let's say on day 9 (search is on previous day (8 = yesterday) it returns an outputlookup .csv as: file-name_%d.csv which is equal as file-name_09.csv (works perfectly)

I need to get it returned as: file-name_08.csv

below search I am using:

index="application-license" sourcetype=application License_User_device=* License_feature_status="OUT" License_user=*
| eval License_feature_status=(License_feature_status)
| eval License_User_device=split(License_User_device,",")
| eval License_user=split(License_user,",")
| makemv delim="," License_user
| mvexpand License_user
| sort License_user
| dedup License_user
| stats list(License_user) as "User" list(License_User_device) as "Computer" count(License_feature_status) as "LicenseTaken" by _time

| outputlookup [ | stats count | eval filename=strftime(now(), "Application-license-usage-per_day_%d.csv") | return $filename]

...................

I tried (without results):

| outputlookup [ | stats count | eval filename=strftime((now(),"-1d"), "Minitab-license-usage-per_day_%d.csv") | return $filename]
or
| outputlookup [ | stats count | eval filename=relative_time(now(), "-1d@d"), "%m/%d") | return $filename]


do you have any idea / solution for me?

thx in advance
Kai

0 Karma

manjunathmeti
Champion
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...