topic Re: Get data from the last 2 business days in Splunk Search

Get data from the last 2 business days

younesboumaaz — Thu, 11 Feb 2021 16:26:52 GMT

I'm setting an alert that will run everdy business day at 9AM and triggers only if the sum of a field is 0 for 2 consecutive business day.

To do that, I want to set my time range for my search to return events from the last two business days.

For example, if it is Monday, it will return data for Thursday and Friday, if it is Tuesday, it will return data for Friday and Monday.

I tried to use "earliest" and "latest" at the beginning of my search but I can't get it to work....

Any Help would be welcome ! 🙂

Re: Get data from the last 2 business days

lydiapal_splunk — Sun, 14 Feb 2021 00:24:48 GMT

Hi!

Here's a solution that will work if your data has the default field "date_wday" extracted (see docs here). Although it is a default field (extracted automatically), you should read the docs before using this field. If this field is not available, you would need some other logic to determine the weekday for each event.

index=yourindex earliest=-4d@d latest=-0d@d date_wday IN ("monday","tuesday","wednesday","thursday","friday") | eventstats latest(date_wday) as last_weekday | eval previous_working_day=case(last_weekday="monday","friday",last_weekday="tuesday","monday",last_weekday="wednesday","tuesday",last_weekday="thursday","wednesday",last_weekday="friday","thursday") | where date_wday=last_weekday OR date_wday=previous_working_day ... rest of your search...

Basically the search will look back last 4 full days (as on Monday it will have to look back for Thursday-Friday).

It will filter to only look at weekdays, determine last week day, and based on this, determine the previous week day. Then it will filter to only show those last two weekdays.

Hope this helps! 😊

Phoebe

Re: Get data from the last 2 business days

lydiapal_splunk — Sun, 14 Feb 2021 00:25:48 GMT

Also to note that there must be events on the "last working day" for this search to work.

Re: Get data from the last 2 business days

younesboumaaz — Mon, 15 Feb 2021 13:35:13 GMT

Thank you for your response! Indeed, it would work if only date_wday was in my data... But no worries, it inspired me, and I worked on it to finally find a solution!

I've set my time range to "6 last days" :

index=yourindex | timechart span=1d sum(NbrHashOK) as sommehash | fillnull value=0 sommehash | eval Jour=strftime(_time, "%A %d %B %Y"), day_of_week = strftime(_time,"%A"), now=strftime(now(),"%A") , test=case(now="Monday" AND (day_of_week="Thursday" OR day_of_week="Friday"),"OK", now="Tuesday" AND (day_of_week="Friday" OR day_of_week="Monday"),"OK", now="Wednesday" AND (day_of_week="Monday" OR day_of_week="Tuesday"),"OK", now="Thursday" AND (day_of_week="Tuesday" OR day_of_week="Wednesday"),"OK", now="Friday" AND (day_of_week="Wednesday" OR day_of_week="Thursday"),"OK", 1=1,0) | where test="OK" | stats sum(sommehash) as test_sommehash values(Jour) as jour