Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- generate daily report on date field in data
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alexm2a
Engager
02-13-2018
01:01 AM
Hi there,
I have some data like this
activity_id: 1131c134-d771-41e7-918d-d42772fc1316
date_time: 2018-02-13T08:21:40.682844+00:00
env: prod
event_data: { [-]
channel: 1124
day: 2018-02-18
eventId: 97356218
streamEndDateTime: 1518974100000
streamStartDateTime: 1518965640000
}
event_name: update.event
timestamp: 1518510100682
And I would like Splunk to generate a report each day at midnight based on the next 2 days from the 'event_data.day' value. For example if today is 2018-02-17, the report would check
event_name="update.event" event_data.day="2018-02-17" OR event_data.day="2018-02-18"
The next day the report would check for
event_name="update.event" event_data.day="2018-02-18" OR event_data.day="2018-02-19"
etc.
Any help would be greatly appreciated.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HiroshiSatoh
Champion
02-13-2018
04:38 AM
Try this!
event_name="update.event" [search |noop|stats count as event_data.day
|eval event_data.day=strftime(now(),"%Y-%m-%d")+" "+strftime(relative_time(now(),"+1d@d"),"%Y-%m-%d")
|makemv event_data.day
|mvexpand event_data.day]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HiroshiSatoh
Champion
02-13-2018
04:38 AM
Try this!
event_name="update.event" [search |noop|stats count as event_data.day
|eval event_data.day=strftime(now(),"%Y-%m-%d")+" "+strftime(relative_time(now(),"+1d@d"),"%Y-%m-%d")
|makemv event_data.day
|mvexpand event_data.day]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
02-13-2018
05:16 AM
hey @hiroshiSatoh
I was just wondering why you have used |noop|stats count as event_data.day?
If you do not use that then you will not get an answer? Just trying to understand your query.
Also event_data.day=strftime(now(),"%Y-%m-%d")+" "+strftime(relative_time(now(),"+1d@d"),"%Y-%m-%d" will give you today and tomorrow date right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alexm2a
Engager
02-13-2018
04:49 AM
Brilliant! Thank you!
Get Updates on the Splunk Community!
Troubleshooting the OpenTelemetry Collector
In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...
Adoption of Infrastructure Monitoring at Splunk
Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...
Modern way of developing distributed application using OTel
Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...
