Solved: generate daily report on date field in data

alexm2a · ‎02-13-2018

Hi there,

I have some data like this

activity_id:     1131c134-d771-41e7-918d-d42772fc1316   
     date_time:  2018-02-13T08:21:40.682844+00:00   
     env:    prod   
     event_data:    {   [-] 
         channel:    1124   
         day:    2018-02-18 
         eventId:    97356218   
         streamEndDateTime:  1518974100000  
         streamStartDateTime:    1518965640000  
    }   
     event_name:     update.event
     timestamp:  1518510100682

And I would like Splunk to generate a report each day at midnight based on the next 2 days from the 'event_data.day' value. For example if today is 2018-02-17, the report would check

event_name="update.event"  event_data.day="2018-02-17" OR event_data.day="2018-02-18"

The next day the report would check for

event_name="update.event"  event_data.day="2018-02-18" OR event_data.day="2018-02-19"

etc.

Any help would be greatly appreciated.

HiroshiSatoh · ‎02-13-2018

Try this!

event_name="update.event"  [search |noop|stats count as event_data.day
|eval event_data.day=strftime(now(),"%Y-%m-%d")+" "+strftime(relative_time(now(),"+1d@d"),"%Y-%m-%d")
|makemv event_data.day
|mvexpand event_data.day]

View solution in original post

HiroshiSatoh · ‎02-13-2018

Try this!

event_name="update.event"  [search |noop|stats count as event_data.day
|eval event_data.day=strftime(now(),"%Y-%m-%d")+" "+strftime(relative_time(now(),"+1d@d"),"%Y-%m-%d")
|makemv event_data.day
|mvexpand event_data.day]

mayurr98 · ‎02-13-2018

hey @hiroshiSatoh

I was just wondering why you have used |noop|stats count as event_data.day?
If you do not use that then you will not get an answer? Just trying to understand your query.
Also event_data.day=strftime(now(),"%Y-%m-%d")+" "+strftime(relative_time(now(),"+1d@d"),"%Y-%m-%d" will give you today and tomorrow date right?

alexm2a · ‎02-13-2018

Brilliant! Thank you!

generate daily report on date field in data

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Index This | What did the zero say to the eight?

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

Are you a member of the Splunk Community?

generate daily report on date field in data

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Index This | What did the zero say to the eight?

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...