Dashboards & Visualizations

Set time frame of Splunk Dashboard report

Shashank_87
Explorer

Hi, I am working on a dashboard report which i need to schedule bi-weekly i.e. Monday and Thursday morning. I have the Cron expression ready (30 08 * * 1,4) but how do i change the time dynamically?
For example When report runs on Monday morning, it should fetch the data of Thursday, Friday, Saturday and Sunday. And when it runs on Thursday it should fetch the data from Monday, Tuesday and Wednesday.
Now if i set the time as "Last 4 days", Monday report works fine but Thursday report fetches the data of Sunday as well which is not required.
Can someone help? Any suggestion or hint is appreciated.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi Shashank_87,
I had the same problem and I solved creating two reports with the same search and different timeframe, one scheduled for Monday and the other for Thursday.

Ciao.
Giuseppe

View solution in original post

0 Karma

wmyersas
Builder

Tweak the days for your case (I did with Tue & Fri, because I tested it today (Tuesday)):

index=ndx sourcetype=srctp
| eval dow=strftime(_time,"%a")
| eval today=strftime(now(),"%a")
| eval keept=if(today="Tue","Fri,Sat,Sun,Mon","No")
| makemv delim="," keept
| eval keepf=if(today="Fri","Tue,Wed,Thu","No")
| makemv delim="," keepf
| eval keep=if((mvfind(keept,'dow')>=0 OR mvfind(keepf,'dow')>=0),"yes","no")
| search keep="yes"
| stats count by dow today

This adds 5 fields to each event ( dow, today, keept, keepf, keep ), and keeps events only if the event's day of the week ( dow ) is found in one of the multivalue keep[f|t] fields.

Fwiw, this will also "work" every day of the week - but it will only return results when you run it on either Tuesday or Friday (see the today field).

There are probably good ways to improve this, but it's fully-functional now.

0 Karma

Shashank_87
Explorer

@wmyersas Thanks for your response. This logic also works but a bit messy. I would just go with creation of 2 reports and schedule it on monday and thursday respectively. But Thanks for the response. I am saving this query. Might be helpful in future. 🙂

wmyersas
Builder

Scheduling two separate reports is easier in one regard - but you do now have to maintain two things instead of one 🙂

Personally, I'd prefer to have one that I just scheduled every day across the last 4-7 days, and get the results when there actually are some (Mo & Th) 🙂

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Shashank_87,
I had the same problem and I solved creating two reports with the same search and different timeframe, one scheduled for Monday and the other for Thursday.

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...