Reporting

How do you set up a time range from 10 pm to 4am for a scheuled hourly report?

shaikhussain2
Explorer

We had set up a report which triggers on an hourly basis from 10PM to 4AM but the 10PM, 11PM report contains last 24 hour data. We only need a report starting from 10PM to 4AM data. Please let us know what we need to feed in EARLIEST and LATEST.

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

So, think in terms of finding the start of the same day, and then using an offset.

In this case, if you want the report running from 10 PM to 4 AM, then you need to either add at least 2 hours or subtract at least 4 hours to put it all on the same day.

So to get 10 PM, you take whatever time it is running, add at least 2 hours, then calculate the start of the day you are in, and subtract 2 hours again.

Earliest=+2h@d-2h

To get 4 AM, you take whatever time it is running, add at least 2 hours, then calculate the start of the day you are in, and add 4 hours again.

 Latest=+2h@d+4h

Now, let's make sure we always get 10 PM and 4 AM. Let's suppose that we are running at 3 am.

earliest = 3am+2h -> 5am @d-> midnight -2h = 10 pm.  Correct.

latest = 3am + 2h -> 5 am @d -> midnight  +4h = 4 am.  Correct.

Now, technically, since you only need 6 hours total, we have nearly 18 hours of leeway. As the first step, we could have added any number from 2h to 19h and the calculation would work exactly the same, because @d will truncate the time to the start of day.

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

So, think in terms of finding the start of the same day, and then using an offset.

In this case, if you want the report running from 10 PM to 4 AM, then you need to either add at least 2 hours or subtract at least 4 hours to put it all on the same day.

So to get 10 PM, you take whatever time it is running, add at least 2 hours, then calculate the start of the day you are in, and subtract 2 hours again.

Earliest=+2h@d-2h

To get 4 AM, you take whatever time it is running, add at least 2 hours, then calculate the start of the day you are in, and add 4 hours again.

 Latest=+2h@d+4h

Now, let's make sure we always get 10 PM and 4 AM. Let's suppose that we are running at 3 am.

earliest = 3am+2h -> 5am @d-> midnight -2h = 10 pm.  Correct.

latest = 3am + 2h -> 5 am @d -> midnight  +4h = 4 am.  Correct.

Now, technically, since you only need 6 hours total, we have nearly 18 hours of leeway. As the first step, we could have added any number from 2h to 19h and the calculation would work exactly the same, because @d will truncate the time to the start of day.

0 Karma

shaikhussain2
Explorer

Thanks Dal, it helps me a lot and answer was absolutely correct..!! and thanks for elaborating the answer

hcheang
Path Finder

Try below

index=test test test=test earliest=-6h@h
| eval hour=strftime(_time,"%H")
| eval current_hour=strftime(now(),"%H")
| eval hour_filter=if(current_hour>4,21,0)
| where hour>hour_filter
| ...

At 11 PM, current_hour=23 and thus hour_filter=21.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Could you provide more details on your search, basically your current time range used and cron schedule? Do you want to process last 1 hour of data from 11 PM to 4 AM and process last 24 hrs when run at 10 PM?

0 Karma

shaikhussain2
Explorer

For example we have one report that we genarate every one hour 8pm to 2pm and the time range is earliest=+4h@d-4h & latest=+4h@d+14h means it collecting only 8pm to 2pm data only like that we need 10pm to 4am.

0 Karma

shaikhussain2
Explorer

bascially the report generate every 1 hour 10 pm to 4 am and we mention time range as last 24 hours but the end user are saying we dont want last 24hrs data just we need 10pm to 4 am data.

For example : If report genarate at 10 pm then it should take 10 pm time only and also if report genareate at 2 am then it should take 10 pm data to till 2am like that in last report 4 am it should take 10 pm to 4am data only.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...