Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Run a search and generate a report every morning at 7:30AM for the previous day (from 00:00:00 to 23:59:59)

nelsoko
Engager
‎04-26-2014 07:25 PM

I am struggling to figure out the search I need to generate a report from the previous day. I want to capture all assigned IP address on our network from 00:00:00am until 23:59:00pm everyday and email it to our IT department in the morning @ 7:30.

i have tried:
dhcp* punct=":::___...::::::--/" earliest=@d latest=@d+23h+55m ( this is okay as long as
I run the search at the right time.)

I am just wondering if there is some other way.

Thanks.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mcmaster
Communicator
‎04-26-2014 08:05 PM

For your earliest time try "-1d@d" and for the latest time try "@d". At 7:30AM, -1d@d is 00:00:00 of the previous day, and @d is 00:00:00 of the current day.

Here's the reference for relative time modifiers in Splunk:

http://docs.splunk.com/Documentation/Splunk/6.0.3/SearchReference/SearchTimeModifiers#How_to_specify...

"@d" means snap to the day, which will always give you 00:00:00. -1 means, obviously, 1 day in the past. @d by itself always gives you midnight of the current day.

Hope this helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

mcmaster
Communicator
‎04-26-2014 08:05 PM

For your earliest time try "-1d@d" and for the latest time try "@d". At 7:30AM, -1d@d is 00:00:00 of the previous day, and @d is 00:00:00 of the current day.

Here's the reference for relative time modifiers in Splunk:

http://docs.splunk.com/Documentation/Splunk/6.0.3/SearchReference/SearchTimeModifiers#How_to_specify...

"@d" means snap to the day, which will always give you 00:00:00. -1 means, obviously, 1 day in the past. @d by itself always gives you midnight of the current day.

Hope this helps!

Reply
Solved! Jump to solution

nelsoko
Engager
‎04-27-2014 10:46 AM

Thanks for the input. I will give that a try. With the statement you have provided it wouldn't matter what time I ran the search I would just be getting the results from the previous day. The only thing to change would be the cron schedule. It's there a way to make the report come as a single pdf file instead of multiple files?

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎04-27-2014 12:22 AM

the cron schedule will be 30 7 * * * in the search

earliest=-1d@d latest=@d

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...