Hello,I have this query..
index="dpsn_students" earliest=0 latest=now suspended=false AND (class= "*" OR class= "* *")
| dedup primaryEmail
| rename primaryEmail as email
| eval class=upper(class)
| join type=outer email
[ search index="dpsn_meet"
| rex field=date "(?<yy>[^\.]*)\-(?<mm>[^\.]*)\-(?<dd>[\S]*)T(?<hh>[^\.]*)\:(?<min>[^\.]*)\:(?<sec>[^\.]*)\."
| eval ndatetime = yy.mm.dd.hh.min.sec
| eval _time=strptime(ndatetime,"%Y%m%d%H%M%S") + 19800
| eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval Duration = duration_seconds/60
| stats sum(Duration) as tot by email]
| join type=outer class
[ search index="dpsnapitt" AND (class= "*" OR class= "* *") AND day="DAY 1" | stats count as Total by class
| eval class_time=Total*30]
| fillnull value="0"
| where class!="0"
| eval m=0.75
| eval p=1
| eval n=class_time
| eval o=m*n*p
| where tot >= o
| stats count as "Total"
If I run this query on Monday with the time range of last 31 hours before 2pm, some data is coming but it should be 0 as there is no school on Sunday. At 2pm on Monday, cron job is done but I dont know how to handle it before 2pm.
Pleases help.
