You will need to use the snapping functionality (earliest=@d+6h latest=@d+6h+30m) that mus mentioned below. Can you post your search string, so we have an idea of what you're working with?

Here's the search query:

host= xxxxxx index=* COMMAND=java USER=xxxxx | timechart earliest=@d+6h latest=@d+6h+30m span=5m limit=0 avg(pctCPU) as "% of CPU Usage"

This query basically reports the average CPU used % and i want a report from 6 am to 6.30 am on a daily basis to monitor the load/usage.

I tried with your snapping as well and it gives the below error:

Error in 'timechart' command: Invalid argument: 'earliest=@d+6h'

thanks.

The earliest and latest fields need to go before the timechart command. Try ..

host= xxxxxx index=* COMMAND=java USER=xxxxx earliest=@d+6h latest=@d+6h+30m| timechart span=5m limit=0 avg(pctCPU) as "% of CPU Usage

Oh Cool... That worked! Thanks so much!

Is there a way I can combine these daily reports together in one report so that i see the historical data?

Thanks.

You can use this approach: https://answers.splunk.com/answers/73966/query-for-picking-time-range-at-specified-time-everyday.htm...

In your case it would look more like.. "date_hour=6 AND date_minute>0 AND date_minute<30". Keep in mind this will need to go in the beginning of the search, just like the earlier example.

Hi jluo,

Under Actions if i click Edit, i see Edit Description, Clone and Delete options. I don't find Edit Schedule. Am i missing something?

Thanks.

You can also do this workaround. You can clone the report, then schedule the report from there (since you'll be the owner of the report). Here's some documentation on scheduling reports : http://docs.splunk.com/Documentation/Splunk/6.3.0/Report/Schedulereports

It's possible your admin may have removed write permissions on that report. However, if that were the case, you would only see the option to "clone", and not edit description or delete. Can you post a screenshot?

I managed to get the required permissions to schedule the report. But the issue is, I have set the search for the report based on date/time range and wondering the report will daily provide me the data for the same date as it was set in the search. How do I fix that?

Thanks.

use this in your base search:

earliest=-0d@d+6h latest=-0d@d+6h+30min

This will snap tho the current day 6am til current day 6:30am

cheers, MuS

Hi Mus,

I tried to add "earliest=-0d@d+6h latest=-0d@d+6h+30min" to the base search and it gives me the below error:

Error in 'timechart' command: Invalid argument: 'earliest=-0d@d+6h'

You will need to rework the report's time range so that is a generic time range (last week, last 24 hours, whatever you want, but it cannot be for a specific date range and time, for example, july1st from 8am - july 2nd at 8am). When you open up the report in search, you can change the time range using the time ranger picker on the right side of the search bar.

Otherwise, you will get the same results every time the search is run.

Hi jluo,

Yes, that will work, but when i want to see the report at a later time, it will give me the results as to what the relative time was set in the search. I would have to email out the report for the data or will end up modifying it all the time. Thoughts?

Thanks.

you need to have the schedule_search capability to Schedule saved searches, create and update alerts, and review triggered alert information. This is usually only granted to the power user role.

cheers, MuS

Thanks Mus, I will have to check with my admin to see if I was granted that permission.

Hi ltrand,

Thanks for your response. I don't find an option to schedule a report as you have mentioned. Could you please let me know how do i do that? Also, will the date set in the search change to the next day automatically? I am using Splunk 6.3.0.

Thanks.

Hi ltrand,

By setting the date/time range on the search and scheduling the report, will the schedule change the date on the search to the date it runs?

Thanks.

You can save your search as a report by clicking save as (under the search bar) and then choosing report. From there, go to the "Reports" on the bar above the search bar. With each report, you have options under the Actions column to "Edit" or "Open in Search". Choose edit, and it will bring down a menu, where you can "Edit Schedule".