- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
I am calculating utilization using the code below. Yet, I want to only account for utilization during the weekdays, instead of the whole week.
To do this, I set date_wday= Monday, Tuesday, Wednesday, Thursday, or Friday BUT when doing this, the utilization still accounts for the whole search time frame when I just want it to look at the time for business weeks.
Code:
index=example date_wday=monday OR tuesday or wednesday OR thrusday OR friday
| transaction Machine maxpause=300s maxspan=1d keepevicted=T keeporphans=T
| addinfo
| eval timepast=info_max_time-info_min_time
| eventstats sum(duration) as totsum by Machine
| eval Util=min(round( (totsum)/(timepast) *100,1),100)
| stats values(Util) as "Utilized" by Machine
|stats max(Utilized)
Can I please have help!! Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try out
index=example NOT (date_wday="Saturday" OR date_wday="Sunday")
| transaction Machine maxpause=300s maxspan=1d keepevicted=T keeporphans=T
| addinfo
| eval timepast=info_max_time-info_min_time
| eventstats sum(duration) as totsum by Machine
| eval Util=min(round( (totsum)/(timepast) *100,1),100)
| stats values(Util) as "Utilized" by Machine
|stats max(Utilized)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
you should try
index=example date_wday IN (monday, tuesday, wednesday, thrusday, friday)
....or what ever those days are in your locale if those are localised?
Your current query match only Monday to date_wday not other. Other weekdays it try to found from _raw and as splunk add those on index time as separate fields it could be that those are not match on _raw.
r. Ismo
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this worked!!! Thank you
****ACCEPTABLE SOLUTION****
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try out
index=example NOT (date_wday="Saturday" OR date_wday="Sunday")
| transaction Machine maxpause=300s maxspan=1d keepevicted=T keeporphans=T
| addinfo
| eval timepast=info_max_time-info_min_time
| eventstats sum(duration) as totsum by Machine
| eval Util=min(round( (totsum)/(timepast) *100,1),100)
| stats values(Util) as "Utilized" by Machine
|stats max(Utilized)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can confirm this worked because I checked if the timepast (total time of search) timeframe lowered when adding NOT (date_wday="saturday" OR date_wday="sunday") and it did!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you this worked!! Yet my utilization start time is wrong. I want to take the start time as the time on the filename but I am having difficulty doing the regrex command and how it works.
My Regrex Code:
|rex field=Filename "(?<new>:(-).+((?1)) )"
Not working!!
ex. Filename String:
| 013023-123141-46.xml |
WANT:
"123141"
THEN add ":" between hour:minute:second
Final string: "12:31:41"
-------------------------------------------------------------------------------
From this string "013023-123141-46.xml"
Step 1: I want to create a new field from the filename using regrex command:
Field: Start_Time = "123141"
Step 2: Add ":" to second field new fields:
Field: Start_Time turn into "12:31:41"
Step3: Convert time string "12:31:41" into a time stamp:
Field: Starttime = strftime(Start_Time,"%h:%m:%s")
