Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- search every day in last week at specific times
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
search every day in last week at specific times
hello again.
I have a search where I'd like to go back 1 week and then search the same time on each day during that week and return results.
So far I have been looking at all of the time range modifiers and still haven't come up with exactly what I am looking for.
My search is:
sourcetype="Cron_SendNotificationEmail" OR sourcetype="Cron_CheckRegistrarThreshold"
(source="*asia*" OR source="*info*" OR source="*org*" OR source="*mobi*" OR source="*me*" OR source="*aero*" OR source="*cctld*")
earliest=-1d@d latest=-1d@d+23h+55m
| rex field=_raw "send_to_email ?\[(?P<send_to_email>\S+)\]"
| rex "(?P<inserting_a_record>Inserting a record.*)"
| search inserting_a_record="*" OR send_to_email="*"
| timechart count(inserting_a_record) as TotalEmailsToSend count(send_to_email) as TotalEmailsSent`
obviously i don't have the right time modifiers in the search right now, but i'm trying to figure it out. so far i think i could start with "startdaysago=7" but after that I'm not sure how to tell the search to search on every day after going back 7 days at the times I would like which is:
00:00 to 23:55
Help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I have an idea of where you're trying to go. Do you think you could add a table of what you'd like the tabular output of the search to be? ie what are the rows and columns you want to end up with?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I get you right you'd like to dismiss events being generated the last five minutes before midnight every day. Would something like this do?
.... earliest=-7d@d NOT (day_hour=23 AND day_minute>=55)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
earliest=-7d@d latest=@d NOT (day_hour=....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you got the timechart syntax wrong.... should be something like | timechart count(eval(inserting_a_record=*)) ....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am still messing with this query, but I don't want it to include any results from the current day at all. I only want the last 7 days NOT including the present day.
sourcetype="Cron_CheckRegistrarThreshold" (source="asia" OR source="info" OR source="org" OR source="mobi" OR source="me" OR source="aero" OR source="cctld") earliest=-7d@d NOT (day_hour=23 AND day_minute>=55) | rex "(?P
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well this probably would work, but now the problem appears to be that the query isn't giving me the results i would expect. It should pull out two fields, TotalEmailSent and TotalEmailsToSend and once charted both of these numbers should match. For some reason they aren't.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
also keep in mind this search makes a chart on the dashboard.
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
