Hi there,
I have some data like this
activity_id: 1131c134-d771-41e7-918d-d42772fc1316
date_time: 2018-02-13T08:21:40.682844+00:00
env: prod
event_data: { [-]
channel: 1124
day: 2018-02-18
eventId: 97356218
streamEndDateTime: 1518974100000
streamStartDateTime: 1518965640000
}
event_name: update.event
timestamp: 1518510100682
And I would like Splunk to generate a report each day at midnight based on the next 2 days from the 'event_data.day' value. For example if today is 2018-02-17, the report would check
event_name="update.event" event_data.day="2018-02-17" OR event_data.day="2018-02-18"
The next day the report would check for
event_name="update.event" event_data.day="2018-02-18" OR event_data.day="2018-02-19"
etc.
Any help would be greatly appreciated.
Try this!
event_name="update.event" [search |noop|stats count as event_data.day
|eval event_data.day=strftime(now(),"%Y-%m-%d")+" "+strftime(relative_time(now(),"+1d@d"),"%Y-%m-%d")
|makemv event_data.day
|mvexpand event_data.day]
Try this!
event_name="update.event" [search |noop|stats count as event_data.day
|eval event_data.day=strftime(now(),"%Y-%m-%d")+" "+strftime(relative_time(now(),"+1d@d"),"%Y-%m-%d")
|makemv event_data.day
|mvexpand event_data.day]
hey @hiroshiSatoh
I was just wondering why you have used |noop|stats count as event_data.day
?
If you do not use that then you will not get an answer? Just trying to understand your query.
Also event_data.day=strftime(now(),"%Y-%m-%d")+" "+strftime(relative_time(now(),"+1d@d"),"%Y-%m-%d"
will give you today and tomorrow date right?
Brilliant! Thank you!