https://community.splunk.com/t5/Splunk-Search/Enrich-event-with-number-of-business-days-till-end-of-the-month/m-p/241974#M188934 <P>I would like to include an evaluated field to the events returned in the search containing the number of business days between the timestamp of the event and the end of the event month. I have a subsear returning the number of business days untill the end of the month:</P> <P>eval TtoEOM=[search * Earliest=$eventtime$ latest=+1month@month | timechart count by host span=1d | appendpipe [|stats count |addinfo | eval temp=info_min_time."##".info_max_time | makemv temp delim="##" | mvexpand temp | eval count=0 | eval _time=temp | table _time count] | timechart span=1d sum(count) as count | fillnull | eval dayname = strftime(_time, "%a") | eval target = strftime(_time, "%d%m%y") |search dayname!=Sat dayname!=Sun | stats count as ret | return $ret]</P> <P>However, I'm unble to get the event time into the Earliest parameter of the subsearch.<BR /> Thank you!</P> Tue, 29 Sep 2020 07:57:03 GMT SP987541 2020-09-29T07:57:03Z https://community.splunk.com/t5/Splunk-Search/Enrich-event-with-number-of-business-days-till-end-of-the-month/m-p/241974#M188934 <P>I would like to include an evaluated field to the events returned in the search containing the number of business days between the timestamp of the event and the end of the event month. I have a subsear returning the number of business days untill the end of the month:</P> <P>eval TtoEOM=[search * Earliest=$eventtime$ latest=+1month@month | timechart count by host span=1d | appendpipe [|stats count |addinfo | eval temp=info_min_time."##".info_max_time | makemv temp delim="##" | mvexpand temp | eval count=0 | eval _time=temp | table _time count] | timechart span=1d sum(count) as count | fillnull | eval dayname = strftime(_time, "%a") | eval target = strftime(_time, "%d%m%y") |search dayname!=Sat dayname!=Sun | stats count as ret | return $ret]</P> <P>However, I'm unble to get the event time into the Earliest parameter of the subsearch.<BR /> Thank you!</P> Tue, 29 Sep 2020 07:57:03 GMT https://community.splunk.com/t5/Splunk-Search/Enrich-event-with-number-of-business-days-till-end-of-the-month/m-p/241974#M188934 SP987541 2020-09-29T07:57:03Z https://community.splunk.com/t5/Splunk-Search/Enrich-event-with-number-of-business-days-till-end-of-the-month/m-p/241975#M188935 <P>Neat search!</P> <P>I noticed that you are having trouble with <CODE>earliest</CODE>, and also notice you've spelled it in your example <STRONG>Earliest</STRONG>. Try changing it to all lower case. Without that change TtoEOM (in my testing) is some massive number, but when I change it TtoEOM returns a very reasonable number.</P> <P>Like so:</P> <PRE><CODE>eval TtoEOM=[search * earliest=$eventtime$ latest=+1month@month | timechart count by host span=1d | appendpipe [|stats count |addinfo | eval temp=info_min_time."##".info_max_time | makemv temp delim="##" | mvexpand temp | eval count=0 | eval _time=temp | table _time count] | timechart span=1d sum(count) as count | fillnull | eval dayname = strftime(_time, "%a") | eval target = strftime(_time, "%d%m%y") |search dayname!=Sat dayname!=Sun | stats count as ret | return $ret] </CODE></PRE> Sun, 22 Nov 2015 03:06:47 GMT https://community.splunk.com/t5/Splunk-Search/Enrich-event-with-number-of-business-days-till-end-of-the-month/m-p/241975#M188935 Richfez 2015-11-22T03:06:47Z https://community.splunk.com/t5/Splunk-Search/Enrich-event-with-number-of-business-days-till-end-of-the-month/m-p/241976#M188936 <P>I spent quite a bit of time on this and cannot figure out a good way to do it. I did, however, figure out a better way to do the math:</P> <PRE><CODE>| eval WorkdaysUntilEndOfCurrentMonth = [|gentimes [|noop | stats count AS start | eval start=strftime(now(), "%m/%d/%Y") | return start=start] [|noop | stats count AS end | eval end=strftime(relative_time(now(), "+1mon@mon"), "%m/%d/%Y") | return end=end] | search starthuman!="Sat*" AND starthuman!="Sun*" | stats count as WorkdaysUntilEndOfCurrentMonth | return $WorkdaysUntilEndOfCurrentMonth] </CODE></PRE> Mon, 23 Nov 2015 17:45:48 GMT https://community.splunk.com/t5/Splunk-Search/Enrich-event-with-number-of-business-days-till-end-of-the-month/m-p/241976#M188936 woodcock 2015-11-23T17:45:48Z https://community.splunk.com/t5/Splunk-Search/Enrich-event-with-number-of-business-days-till-end-of-the-month/m-p/241977#M188937 <P>Show us a run-anywhere example of this actually working end-to-end. I don't see how you can pass outer search fields to a subsearch without using <CODE>map</CODE> which defeats the whole purpose.</P> Mon, 23 Nov 2015 17:51:26 GMT https://community.splunk.com/t5/Splunk-Search/Enrich-event-with-number-of-business-days-till-end-of-the-month/m-p/241977#M188937 woodcock 2015-11-23T17:51:26Z https://community.splunk.com/t5/Splunk-Search/Enrich-event-with-number-of-business-days-till-end-of-the-month/m-p/241978#M188938 <P>Thank you for your valuable inputs! Based on those inputs I've been looking around some more and found this query that does provide me with the result (i.e. enrich my events with an attribute counting the number of business days between event date and the end of the month):</P> <UL> <LI>| transaction IDT | eval start=relative_time(_time,"+1d@d")| eval end=relative_time(_time,"+1month@month") | eval Date=mvrange(start,end,86400) | convert ctime(Date) timeformat="%+"| eval NoOfBusinessDays=mvcount(mvfilter(NOT match(Date,"(Sun|Sat).*"))) | fields NoOfBusinessDays</LI> </UL> Tue, 29 Sep 2020 07:59:38 GMT https://community.splunk.com/t5/Splunk-Search/Enrich-event-with-number-of-business-days-till-end-of-the-month/m-p/241978#M188938 SP987541 2020-09-29T07:59:38Z