Dashboards & Visualizations

How to find utilization for week days only?

ichesla1111
Path Finder

Hello!

I am calculating utilization using the code below. Yet, I want to only account for utilization during the weekdays, instead of the whole week.

To do this, I set date_wday= Monday, Tuesday, Wednesday, Thursday, or Friday BUT when doing this, the utilization still accounts for the whole search time frame when I just want it to look at the time for business weeks.

Code:
index=example date_wday=monday OR tuesday or wednesday OR thrusday OR friday
| transaction Machine maxpause=300s maxspan=1d keepevicted=T keeporphans=T
| addinfo
| eval timepast=info_max_time-info_min_time
| eventstats sum(duration) as totsum by Machine
| eval Util=min(round( (totsum)/(timepast) *100,1),100)
| stats values(Util) as "Utilized" by Machine
|stats max(Utilized)


Can I please have help!! Thank you.

Labels (2)
0 Karma
1 Solution

PaulPanther
Builder

@ichesla1111 

Try out

index=example NOT (date_wday="Saturday" OR date_wday="Sunday")
| transaction Machine maxpause=300s maxspan=1d keepevicted=T keeporphans=T
| addinfo
| eval timepast=info_max_time-info_min_time
| eventstats sum(duration) as totsum by Machine
| eval Util=min(round( (totsum)/(timepast) *100,1),100)
| stats values(Util) as "Utilized" by Machine
|stats max(Utilized)

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

you should try

index=example date_wday IN (monday, tuesday, wednesday, thrusday, friday)
....

or what ever those days are in your locale if those are localised?

Your current query match only Monday to date_wday not other. Other weekdays it try to found from _raw and as splunk add those on index time as separate fields it could be that those are not match on _raw.

r. Ismo

r. Ismo 

ichesla1111
Path Finder

this worked!!! Thank you

****ACCEPTABLE SOLUTION****

0 Karma

PaulPanther
Builder

@ichesla1111 

Try out

index=example NOT (date_wday="Saturday" OR date_wday="Sunday")
| transaction Machine maxpause=300s maxspan=1d keepevicted=T keeporphans=T
| addinfo
| eval timepast=info_max_time-info_min_time
| eventstats sum(duration) as totsum by Machine
| eval Util=min(round( (totsum)/(timepast) *100,1),100)
| stats values(Util) as "Utilized" by Machine
|stats max(Utilized)

ichesla1111
Path Finder

I can confirm this worked because I checked if the timepast (total time of search) timeframe lowered when adding NOT (date_wday="saturday" OR date_wday="sunday") and it did!

0 Karma

ichesla1111
Path Finder

Thank you this worked!! Yet my utilization start time is wrong. I want to take the start time as the time on the filename but I am having difficulty doing the regrex command and how it works.

My Regrex Code:
|rex field=Filename "(?<new>:(-).+((?1)) )"

Not working!!

ex. Filename String:

013023-123141-46.xml


WANT:
"123141" 

013023-123141-46.xml


THEN add ":" between hour:minute:second
Final string: "12:31:41"


-------------------------------------------------------------------------------
From this string "013023-123141-46.xml"

Step 1: I want to create a new field from the filename using regrex command:

Field: Start_Time = "123141"


Step 2: Add ":" to second field new fields:
Field: Start_Time turn into "12:31:41" 

Step3: Convert time string "12:31:41" into a time stamp:
Field: Starttime = strftime(Start_Time,"%h:%m:%s")


Tags (1)
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...