- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Using non timestamp field to produce search for ye...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a date field called "Closed date" in following format "%Y/%m/%d" that IS NOT my timestamp field & want to create a daily scheduled report that only returns data for "Closed date"=previous day. I've tried a eventstats max(closed date) formula but this trips up as on a rare occasion there will be a close date of today.
Any suggestions??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
index=foo sourcetype=bar... (your base search)... [| gentimes start=-1 | eval "Closed date"=strftime(relative_time(now(),"-1d@d"),"%Y/%m/%d") | table "Closed date" ]
|...rest of the search
The subsearch would return yesterday's date in same format as field "Closed date" to filter records. Please ensure that the time range (which only works on _time) is selected in way that it includes all the data that may have "Closed date" of yesterday.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
index=foo sourcetype=bar... (your base search)... [| gentimes start=-1 | eval "Closed date"=strftime(relative_time(now(),"-1d@d"),"%Y/%m/%d") | table "Closed date" ]
|...rest of the search
The subsearch would return yesterday's date in same format as field "Closed date" to filter records. Please ensure that the time range (which only works on _time) is selected in way that it includes all the data that may have "Closed date" of yesterday.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That has worked like a charm! Thank you so much. I've never come across the gentimes function before
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm using gentimes command to just generate a single row where I can set "Closed date" and return it's value. A more appropriate command for this, for version 6.3+, is | makeresults. (Replacing | gentimes start=-1 with |makeresults in above search).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, updated search accordingly. Is there any documentation on these functions, would like to understand more?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Absolutely. Here is the documentation for makeresults specifically. You can find all other search command in the left side tree view.
https://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Makeresults
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
