https://community.splunk.com/t5/Splunk-Search/Previous-business-week-day/m-p/73586#M18448 <P>This solution was sent to me by Lincoln at Splunk:</P> <PRE><CODE>sourcetype="*Security" earliest=-3d@d latest=@d | eval day_value = case(date_wday=="saturday", "0", date_wday="sunday", "0", date_wday=="monday", "1", date_wday== "tuesday", "2", date_wday=="wednesday", "3", date_wday=="thursday","4", date_wday=="friday", "5") | eventstats max(day_value) as high_value | where day_value=high_value | eventstats count as "EventCount" by EventCode | table EventCode EventCodeDescription EventCount | sort EventCode | dedup EventCode </CODE></PRE> <P><CODE>earliest=-3d@d latest=@d</CODE> = We always have to go back 3 days to pick up Friday when it's Monday.</P> <P><CODE>eval day_value = case(date_wday=="saturday", "0", date_wday="sunday", "0", date_wday=="monday", "1", date_wday== "tuesday", "2", date_wday=="wednesday", "3", date_wday=="thursday","4", date_wday=="friday", "5")</CODE> = Splunk stores the day of the week (in lowercase) as a meta field for every event. Here, we're just setting numeric values into a field called day_value which allows us to differentiate and ultimately code events from the previous business day. Saturday and Sunday are given values of zero. We need decrementing values for the other days of the week, so we can distinguish the previous day from the two days prior. This was the hardest part for me to figure out. Took a little extra "noodle power." <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P><CODE>eventstats max(day_value) as high_value</CODE> = The max function of eventstats determines the largest value inserted into the day_value field by the case function above and puts this value into a new field called high_value. If you run the search on Monday, the max value would be 5 which is contained in Friday's events. Remember, eventstats will code every event (including Saturday and Sunday's events with this value in the high_value field).</P> <P><CODE>where day_value=high_value</CODE> = Now, all that's left is to filter out the events that have lower values in the day_value field and we do that easily enough with the where command.</P> Mon, 28 Sep 2020 09:53:28 GMT MBerikcurtis 2020-09-28T09:53:28Z https://community.splunk.com/t5/Splunk-Search/Previous-business-week-day/m-p/73584#M18446 <P>Could you tell me if Splunk has a way of filtering based on previous business day or previous weekday? I’m using <CODE>earliest=-1d@d latest=@d</CODE> to get results from the previous day but that doesn’t help me on Mondays.</P> Mon, 12 Sep 2011 19:54:50 GMT https://community.splunk.com/t5/Splunk-Search/Previous-business-week-day/m-p/73584#M18446 MBerikcurtis 2011-09-12T19:54:50Z https://community.splunk.com/t5/Splunk-Search/Previous-business-week-day/m-p/73585#M18447 <P><CODE>@w0</CODE> as the earliest will snap to the Sunday of the current week, <CODE>@w0+1d</CODE> would snap to the Monday of the week you are currently on.<BR /> <CODE>-w@w+1d</CODE> would snap to the Monday of the previous business week.<BR /> <CODE>@w5</CODE> would snap to the closest Friday.</P> <P>Below is some detail on SearchTimeModifiers:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/4.2.3/SearchReference/SearchTimeModifiers">http://docs.splunk.com/Documentation/Splunk/4.2.3/SearchReference/SearchTimeModifiers</A></P> Tue, 13 Sep 2011 08:15:38 GMT https://community.splunk.com/t5/Splunk-Search/Previous-business-week-day/m-p/73585#M18447 Drainy 2011-09-13T08:15:38Z https://community.splunk.com/t5/Splunk-Search/Previous-business-week-day/m-p/73586#M18448 <P>This solution was sent to me by Lincoln at Splunk:</P> <PRE><CODE>sourcetype="*Security" earliest=-3d@d latest=@d | eval day_value = case(date_wday=="saturday", "0", date_wday="sunday", "0", date_wday=="monday", "1", date_wday== "tuesday", "2", date_wday=="wednesday", "3", date_wday=="thursday","4", date_wday=="friday", "5") | eventstats max(day_value) as high_value | where day_value=high_value | eventstats count as "EventCount" by EventCode | table EventCode EventCodeDescription EventCount | sort EventCode | dedup EventCode </CODE></PRE> <P><CODE>earliest=-3d@d latest=@d</CODE> = We always have to go back 3 days to pick up Friday when it's Monday.</P> <P><CODE>eval day_value = case(date_wday=="saturday", "0", date_wday="sunday", "0", date_wday=="monday", "1", date_wday== "tuesday", "2", date_wday=="wednesday", "3", date_wday=="thursday","4", date_wday=="friday", "5")</CODE> = Splunk stores the day of the week (in lowercase) as a meta field for every event. Here, we're just setting numeric values into a field called day_value which allows us to differentiate and ultimately code events from the previous business day. Saturday and Sunday are given values of zero. We need decrementing values for the other days of the week, so we can distinguish the previous day from the two days prior. This was the hardest part for me to figure out. Took a little extra "noodle power." <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P><CODE>eventstats max(day_value) as high_value</CODE> = The max function of eventstats determines the largest value inserted into the day_value field by the case function above and puts this value into a new field called high_value. If you run the search on Monday, the max value would be 5 which is contained in Friday's events. Remember, eventstats will code every event (including Saturday and Sunday's events with this value in the high_value field).</P> <P><CODE>where day_value=high_value</CODE> = Now, all that's left is to filter out the events that have lower values in the day_value field and we do that easily enough with the where command.</P> Mon, 28 Sep 2020 09:53:28 GMT https://community.splunk.com/t5/Splunk-Search/Previous-business-week-day/m-p/73586#M18448 MBerikcurtis 2020-09-28T09:53:28Z