Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to keep the results for each day from a daily scheduled search on dashboard for the last 1 month?

chandra61446
New Member
‎01-03-2016 11:10 PM

How to keep everyday search result on dashboard?
e.g. I need a search to run daily on 00:01 Hours everyday and display it on dashboard, but when it runs on the next day, it should produce a column with the current date and keep the column of the previous date result as well. I would like this dashboard to maintain the search result history for the last 1 month.

Any Ideas, how to do that?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-05-2016 02:42 AM

Try summary indexing. Run your search everyday and store only the results you want in summary index. Use the summary index in dashboard. This will speed up your dashboard especially if you have to search for one month data

http://docs.splunk.com/Documentation/Splunk/6.3.1511/Knowledge/Usesummaryindexing

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ctaf
Contributor
‎01-05-2016 02:50 AM

You could use the Timewrap command: https://splunkbase.splunk.com/app/1645/

| timechart count span=1h | timewrap d |

It allows you to compare days to days or weeks to weeks very easily

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-05-2016 02:42 AM

Try summary indexing. Run your search everyday and store only the results you want in summary index. Use the summary index in dashboard. This will speed up your dashboard especially if you have to search for one month data

http://docs.splunk.com/Documentation/Splunk/6.3.1511/Knowledge/Usesummaryindexing

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

thirumalreddyb
Communicator
‎01-04-2016 03:47 AM

If your number of results are less then,

your search query.... | append [|inputlookup RESULTS.csv | eval epoch_date=strptime(date,"%Y-%m-%d") (or whatever the format) | where epoch_date>=now-(30*86400) ]outputlookup RESULTS.csv

Now schedule this search to run at 00:01 hours everyday and use the RESULTS.csv to power your dashboard.

P.S: Accept the answer if it is useful.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...