hello,
looking for some help.
I am running a search, daily.... but the logs in the source get updated late by the application (the app updates the source/log-file next day with values related to previous day) , so I want to run my search next day and return the result into an outputlookup.csv incl. the day-count of previous day.
in example: if my search runs daily ... let's say on day 9 (search is on previous day (8 = yesterday) it returns an outputlookup .csv as: file-name_%d.csv which is equal as file-name_09.csv (works perfectly)
I need to get it returned as: **file-name_08.csv**
below search I am using:
index="application-license" sourcetype=application License_User_device=* License_feature_status="OUT" License_user=*
| eval License_feature_status=(License_feature_status)
| eval License_User_device=split(License_User_device,",")
| eval License_user=split(License_user,",")
| makemv delim="," License_user
| mvexpand License_user
| sort License_user
| dedup License_user
| stats list(License_user) as "User" list(License_User_device) as "Computer" count(License_feature_status) as "LicenseTaken" by _time
| outputlookup [ | stats count | eval filename=strftime(now(), "Application-license-usage-per_day_%d.csv") | return $filename]
...................
I tried (without results):
| outputlookup [ | stats count | eval filename=strftime((now()*,"-1d")*, "Minitab-license-usage-per_day_%d.csv") | return $filename]
or
| outputlookup [ | stats count | eval filename=relative_time(now(), "-1d@d"), "%m/%d") | return $filename]
----
do you have any idea / solution for me?
thx in advance
Kai
↧