Solved: Re: Is there a way to include the time range used ...

skender27 · ‎12-01-2015

Hi,

I have several scheduled searches (reports) which are delivered every month in .pdf format via email.
Is there a way to include the time range the searches applied in these results (I mean which data ranges do the searches refer)?

It would be great if these info could be visible in the pdf pages...

Thanks,
Skender

hortonew · ‎12-01-2015

| addinfo | eval start=strftime(info_min_time, "%Y-%m-%d %T") | eval end=strftime(info_max_time, "%Y-%m-%d %T")

Then you could use the tokens $start$ and $end$ in your report

View solution in original post

lguinn2 · ‎12-01-2015

You can always do this for any report:

yoursearchhere
| yourreporthere
| addinfo 
| eval TimeRange="Time range for report is from " . strftime(info_min_time,"%x %X") . " to " .  
         strftime(info_max_time,"%x %X")

However, it will probably look better if you use some other name in the eval instead of TimeRange. Here is an example

index=web status=404
| stats count by host status
| appendpipe [ addinfo 
| eval host="Time range for report is from " . strftime(info_min_time,"%x %X") . " to " .
         strftime(info_max_time,"%x %X")  ]

This will put the "footnote" about the time range into the host column of the report. You can also play around with sorting, etc. to get the timerange information to the top of the report.

If you are creating a dashboard, you can put the time heading in its own panel at the top of the dashboard. However, you have to run some search before you get the addinfo data. So this would work

index=main | head 1
| addinfo 
| eval 'Start Time'=" strftime(info_min_time,"%x %X") 
| eval 'End Time'= strftime(info_max_time,"%x %X") 
| table "Start Time" "End Time"

Save this as a report and add it to any dashboard - or use it as an inline search in any dashboard.

skender27 · ‎12-03-2015

I used the variables in the edit alert, email action:

"The alert condition for "$name$" was triggered.
Results' time range:
$job.earliestTime$ --- $job.latestTime$"

Skender

skender27 · ‎12-03-2015

Hi,

The aim is to add this info as a title of the email which I receive when the trigger happens...
How to put them as tokens in the email trigger action (like the default search name for example: $name$)?

Thanks,
Skender

hortonew · ‎12-01-2015

| addinfo | eval start=strftime(info_min_time, "%Y-%m-%d %T") | eval end=strftime(info_max_time, "%Y-%m-%d %T")

Then you could use the tokens $start$ and $end$ in your report

skender27 · ‎12-01-2015

I edited the email alert of the scheduled search and I noticed an option which is called Trigger Time.
What does it mean? is it the time range the search includes?
Has someone used alert email tokens?

Skender

skender27 · ‎12-01-2015

What if I inserted the email alert: Time range is: $range$ where range is the token which used from the time range picker input...

Skender

Is there a way to include the time range used for a scheduled search in the emailed PDF of results?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases