Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to set this date search automatically? Need to set alert for yesterdays date search

bhaskar5428
Explorer
‎05-10-2022 11:23 PM 
index=* namespace="dk1017-j" sourcetype="kube:container:kafka-clickhouse-snapshot-writer" message="*Snapshot event published*" AND message="*zvkk*" AND message="*2022-05-09*"
|fields message
|rex field=_raw "\s+date=(?<BusDate>\d{4}-\d{2}-\d{2})"
|rex field=_raw "sourceSystem=(?<Source>[^,]*)"
|rex field=_raw "entityType=(?<Entity>\w+)"
|rex field=_raw "\"timestamp\":\"(?<Time>\d{4}-\d{2}-\d{2}[T]\d{2}:\d{2})"
|sort Time desc
|dedup Entity
|table Source, BusDate, Entity, Time

 

 

In above query  *******message="*2022-05-09*" **************

i would like to set this date search automatically , basically need to set alert for yesterdays date search 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-11-2022 12:23 AM

Firstly, you should NOT use wildcards at the beginning of your search term unless absolutely necessary. Especially in the initial search phase.

Secondly, please rephrase your question because it's not clear what you want.

0 Karma
Reply

bhaskar5428
Explorer
‎05-11-2022 12:26 AM

message="*2022-05-09*"

 

basically there are multiple past dates available in events , but i would like to pick up only previous day (day -1 ),
and dont want to enter date manually 

and after this set email alert 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-11-2022 01:10 AM

There are two issues (apart from my original remark about wildcards) here. Three even.

I understand that you have a "main" timestamp in your event as well as other time-related field. And you want to filter on that other field. It boils down to the normal search for a value or range of values in a field.

Firstly, you still have to limit your search to some timerange - of course you can search "All time" but that's highly ineffective. So you have to approximate some timerange in which "your" event should be and limit your search timerange to those times. (for example, if looking for events "from" 2022-05-09, you might look for events back from 2022-05-08 till 2022-05-10).

Secondly, to make the searching easy, you should, as @isoutamo mentioned, have the field extracted so it's easy to match the field by its name.

And thirdly, you have two possible approaches.

1) Use a subsearch to render the date to a string and use that as a condition in the main search.

or

2) Just search for all events from a given timerange and limit the results with - for example - evaling a temporary field to a yesterdays date and comparing the values of the temporary field to your date field with | where.

0 Karma
Reply

bhaskar5428
Explorer
‎05-11-2022 12:18 AM

message="*2022-05-09*"

 

basically there are multiple past dates available in events , but i would like to pick up only previous day (day -1 ),
and dont want to enter date manually 

and after this set email alert 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-10-2022 11:35 PM

Hi

If you want search based on that field, you should add this field extractions to props.conf and/or transforms.conf.  Do you want to index with that field or just search?

If you want that we are helping you to create those conf files, then please give some raw events before/in splunk to help us.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...