Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a scheduled alert to generate Year To Date reports?

kel6cob
New Member
‎02-17-2016 01:47 AM

Hi,

I have created a search to pull annual records using time range "Year to date" option. It displays the all the annual records perfectly. If I save this search as an alert and scheduled to run on certain days, it's not fetching "Year to date" records instead it gives records for last 1 month. So how do I create an alert to pull "Year to date" records ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-17-2016 07:55 AM

Ensure that in "Start time"/Earliest field (Settings-> Searches, reports and alerts -> Your scheduled search) is set to @y and "Finish time"/Latest is set to now.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-17-2016 07:55 AM

Ensure that in "Start time"/Earliest field (Settings-> Searches, reports and alerts -> Your scheduled search) is set to @y and "Finish time"/Latest is set to now.

0 Karma
Reply
Solved! Jump to solution

kel6cob
New Member
‎02-17-2016 08:26 PM

Cool!! I didn't know @y will take the beginning of the year, exactly what I was looking for. Thanks @somesoni2.

0 Karma
Reply
Solved! Jump to solution

kel6cob
New Member
‎02-17-2016 10:13 PM

I used to schedule the report on 1st day of month @00:00 to retrieve the annual reports from Jan 1 to last day of prev month. This approach works perfect for first 11 months whereas for Dec month (say Dec2016) it will not work because earliest=@y will take next year (2017) if it runs on 1st day of Jan2017.

How do I handle this? Can the earliest field be modified if month is Dec using any eval conditions?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-18-2016 07:32 AM

If you're scheduling it to run on 1st of every month, try this 

Start time/Earliest:             -2d@y
FInish time/Latest:              @mon
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...