https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288558#M87374 <P>Thank you very much, this worked!</P> Mon, 26 Mar 2018 13:13:38 GMT davidcraven02 2018-03-26T13:13:38Z https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288548#M87364 <P>Each Monday the event count for skypeuk is 30 and skypeus is 200. However, for the rest of the weekday skypeuk is atleast is 290 and skypeus is 700.</P> <P>How would I build in a new search to the one below to accommodate this low event count on Monday? </P> <PRE><CODE>| tstats count as "Data Received" where index=msexchange host=opspkhf03p source=skypeuk | eval result=if('Data Received'&gt; 200, "PASS", "FAIL") | eval host="opspkhf03p" | append [| tstats count as "Data Received" where index=msexchange host=opspkhf03p source=skypeus | eval result=if('Data Received'&gt; 700, "PASS", "FAIL") | eval host="opspkhf03p"] | table host, "Data Received", result </CODE></PRE> Mon, 26 Mar 2018 08:13:05 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288548#M87364 davidcraven02 2018-03-26T08:13:05Z https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288549#M87365 <P>Hey</P> <P>What exactly do you want to achieve here? <BR /> What do you want to do with the Monday case? Is it different? Do you have different PASS/FAIL thresholds you want to have just for Mondays?</P> Mon, 26 Mar 2018 08:16:49 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288549#M87365 tiagofbmm 2018-03-26T08:16:49Z https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288550#M87366 <P>I would like for it to check if it is Monday and use the below pseudo-code logic </P> <P>for skypeuk<BR /> If dayOfWeek=Monday<BR /> check if event count (Data Received) is greater than equals 290 then PASS else FAIL</P> <P>for skypeus<BR /> If dayOfWeek=Monday<BR /> check if event count (Data Received) is greater than equals 700 then PASS else FAIL</P> Mon, 26 Mar 2018 08:21:32 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288550#M87366 davidcraven02 2018-03-26T08:21:32Z https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288551#M87367 <P>You can do the tstats by _time and then evaluate if it is a Monday or not:</P> <PRE><CODE>| tstats count where index=_internal by _time span=1d | eval date_wday=strftime(_time,"%A") | eval result=if(count&gt; 700 AND date_wday=="Monday", "PASS", "FAIL") </CODE></PRE> Mon, 26 Mar 2018 08:27:50 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288551#M87367 tiagofbmm 2018-03-26T08:27:50Z https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288552#M87368 <P>Thanks for this. I ran this but it is saying fail with the below search. When adding date_wday to the table it has no value.</P> <PRE><CODE>| tstats count as "Data Received" where index=msexchange host=opspkhf03p source=skypeuk | eval date_wday=strftime(_time,"%A") | eval result=if(count&gt; 30 AND date_wday=="Monday", "PASS", "FAIL") | eval host="opspkhf03p" | append [| tstats count as "Data Received" where index=msexchange host=opspkhf03p source=skypeus | eval date_wday=strftime(_time,"%A") | eval result=if(count&gt; 200 AND date_wday=="Monday", "PASS", "FAIL") | eval host="opspkhf03p"] | table host, "Data Received", result </CODE></PRE> Mon, 26 Mar 2018 11:28:00 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288552#M87368 davidcraven02 2018-03-26T11:28:00Z https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288553#M87369 <P>Yes because your did not put the tstats <STRONG>by _time</STRONG></P> <P><STRONG>| tstats count where index=_internal by _time span=1d</STRONG><BR /> | eval date_wday=strftime(_time,"%A")<BR /> | eval result=if(count&gt; 700 AND date_wday=="Monday", "PASS", "FAIL")</P> Tue, 29 Sep 2020 18:40:53 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288553#M87369 tiagofbmm 2020-09-29T18:40:53Z https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288554#M87370 <P>How can I run</P> <PRE><CODE> | tstats count where index=_internal by _time span=1d </CODE></PRE> <P>with my first line</P> <PRE><CODE>| tstats count as "Data Received" where index=msexchange host=opspkhf03p source=skypeuk </CODE></PRE> <P>They don't run together. Am I explaining myself correctly?</P> Mon, 26 Mar 2018 11:58:10 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288554#M87370 davidcraven02 2018-03-26T11:58:10Z https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288555#M87371 <P>They can run together of you put it like this</P> <PRE><CODE> | tstats count as "Data Received" where index=msexchange host=opspkhf03p source=skypeuk by _time span =1d </CODE></PRE> Mon, 26 Mar 2018 12:00:20 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288555#M87371 tiagofbmm 2018-03-26T12:00:20Z https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288556#M87372 <P>Thanks I appreciate your help on this. Now I'm receiving two rows and both are FAIL when running with Last 24 hours</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4617iE4E6515A149BD48F/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 26 Mar 2018 12:22:17 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288556#M87372 davidcraven02 2018-03-26T12:22:17Z https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288557#M87373 <P>That is happening because your search is also going through the 25th of March which is Sunday.</P> <P>If in the end you put the <STRONG>date_wday</STRONG> in the table you will get one row for Sunday and another for Monday.</P> <P>If you just want the data for Monday, then just filter that one out like I;m showing below. If not, just have the results per date_wday where you can see Monday results but also any other days you want. It is up to you.</P> <PRE><CODE> | tstats count as "Data Received" where index=msexchange host=opspkhf03p source=skypeuk by _time span =1d | eval date_wday=strftime(_time,"%A") | where date_wday=="Monday" | eval result=if(count&gt; 30 AND date_wday=="Monday", "PASS", "FAIL") | eval host="opspkhf03p" </CODE></PRE> Mon, 26 Mar 2018 12:31:46 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288557#M87373 tiagofbmm 2018-03-26T12:31:46Z https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288558#M87374 <P>Thank you very much, this worked!</P> Mon, 26 Mar 2018 13:13:38 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-separate-search-for-Monday/m-p/288558#M87374 davidcraven02 2018-03-26T13:13:38Z