Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to check lookup based time configurations and set up alerts accordingly

ayushmaan_22
Explorer
‎11-19-2023 10:32 PM

I have a requirement to check if a employee shift roster(lookup in Splunk) covers 24 hours in a day for each team. If it doesn't cover, I need to send out an alert to the respective team notifying them that their respective shift roster is not configured properly. Can anybody help me out as to how I can proceed in this.

The employee_shift_roster.csv looks something like this:

Start time

End time

Team

Employee Name

Available

8:00

5:30

Team A

Roger

Y

5:30

8:00

Team A

Federer

Y

8:00

5:30

Team B

Novak

Y

5:30

7:00

Team B

Djokovic

Y

 

Now the alert should go out to Team B stating that their shift roster is not configured properly because 24 hours are not cover in shift.

Thanks in advance for the help 🙂

Labels (2)
Labels
0 Karma
Reply

ayushmaan_22
Explorer
‎11-20-2023 08:20 PM

Hey @ITWhisperer 

Thanks for the detailed and helpful response. This looks promising. I will try this out and will update the thread with further findings.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-20-2023 01:07 AM

Assuming your times will actually be 24-hour clock times (and poor Roger and Novak aren't on 21.5 hour shifts!), you could do something like this

| makeresults format=csv data="Start time,End time,Team,Employee Name,Available
8:00,17:30,Team A,Roger,Y
17:30,8:00,Team A,Federer,Y
8:00,17:30,Team B,Novak,Y
17:30,7:00,Team B,Djokovic,Y"
``` The lines above create some simulated data based on your example ```
``` Convert start and end times to minutes of the day (assuming times are strings) ```
| eval start=60*tonumber(mvindex(split('Start time',":"),0))+tonumber(mvindex(split('Start time',":"),1))
| eval end=60*tonumber(mvindex(split('End time',":"),0))+tonumber(mvindex(split('End time',":"),1))
``` Determine how many days the shift is part of ```
| eval days=if(start < end,1,2)
``` Duplicate the event for multiple days ```
| eval day=mvrange(0,days)
| mvexpand day
``` Adjust start minute if second day ```
| eval start=if(days<2,start,if(day==1,0,start))
``` Adjust end minute if first day ```
| eval end=if(days<2, end,if(day==0,24*60,end))
``` Determine minutes covered by shift pattern ```
| eval minutes=mvrange(start,end)
| stats dc(minutes) as cover by Team
``` Find which teams do not have every minute covered ```
| where cover < 24*60

Depending on how your shift times are defined, you may be able to adjust this to use 30 minute spans (as suggested by your example), but the principle is the same.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...