Sanity check: using makeresults and a case for earliest/latest

lembark — Sun, 17 Mar 2024 19:37:24 GMT

In a perfect world I'd find a way to get this into the time picker,
but I haven't seen suggestions for that (please warn me if I've
missed something).

Q: Is the solution I've found for dealing with previous business
day workable or have I missed an edge case that people have
seen before (e.g., it blows up in cron)?

Thanks

I'm trying to find some way to evaluate a window time during a
business week. Goal is having a dashboard w/ drilldown to the
previous business day (for comparison to the main graph giving
today's data). This means processing last Friday on Monday.

The basic question has been asked any number of times but the
answers vary in complexity.

The simplest approach I could find was using a 3-day window in
the time picker and then adding an earliest/latest value via
sub-select to limit the data:

https://community.splunk.com/t5/Splunk-Search/How-to-to-dynamically-change-earliest-amp-latest-in-subsearch-to/m-p/631220

The approach of:

<your index search> [ search index=summary source="summaryName" sourcetype=stash search_name="summaryName field1=* | stats count by _time | streamstats window=2 range(_time) as interval | where interval > 60 * 15 | eval earliest=_time-interval+900, latest=_time | fields earliest latest ]

Seems simple enough: Generate an earliest/latest based on the weekday.

Applying this to my specific case of business hours during
the business week I get this with a case on the weekday from
makeresults, which at least seems like a lightweight solution:

index="foo" [ | makeresults | eval wkday = strftime( _time, "%a" ) | eval earliest = case( wkday = "Mon", "-3d@d+8h", wkday = "Sun", "-2d@d+8h", wkday = "Sat", "-1d@d+8h", 1=1, "@d+8h" ) | eval latest = case( wkday = "Mon", "-3d@d+17h", wkday = "Sun", "-2d@d+17h", wkday = "Sat", "-1d@d+17h", 1=1, "@d+17h" ) | fields earliest latest ] | stats earliest( _time ) as prior latest( _time ) as after | eval prior = strftime( prior, "%Y.%m.%d %H:%M:%S" ) | eval after = strftime( after, "%Y.%m.%d %H:%M:%S" ) | table prior after

And even seems to work: on Sunday the 17th I get:

prior after
2024.03.15 08:00:00 2024.03.15 16:59:59

Only question now is whether there is some edge case I've missed
(e.g., running via crontab) where the makeresults will generate an
offball time or something.

Thanks

Re: Sanity check: using makeresults and a case for earliest/latest

ITWhisperer — Sun, 17 Mar 2024 22:10:03 GMT

Assuming you just want to go back to the previous Friday, if it is Saturday, Sunday or Monday, or the previous day otherwise, you could use addinfo to get the start of the search period and reset the earliest and latest like this

topic Sanity check: using makeresults and a case for earliest/latest in Splunk Search

Sanity check: using makeresults and a case for earliest/latest

Re: Sanity check: using makeresults and a case for earliest/latest