Did you happen to find a solution to this, or did you end up going with @wpreston's recommendation of making it into a search macro? This is an interesting topic, so just wanted to make sure this post gets resolved as it'll be useful for many other users.
You can do this through the Splunk UI:
Thanks for these tips! However the issue I'm having comes up when the current day is Monday. If I want to see Friday's data (previous business day).
In a search command we can use a case statement to set the day.
index=myindex sourcetype=something [search index=mainframe | head 1 | eval day_of_week = tonumber(strftime(now(), "%w")) |eval earliest = case(day_of_week == 0, "-2d@d", day_of_week == 1, "-3d@d", 1 == 1, "-1d@d") | fields earliest] [search index=mainframe | head 1 | eval day_of_week = tonumber(strftime(now(), "%w")) |eval latest = case(day_of_week == 0, "-1d@d", day_of_week == 1, "-2d@d", 1 == 1, "@d") | fields latest]
How do I create a custom preset or a time picker choice that would set the date based on what day it is now?
Ah, I see, sorry about that. I'm not sure how to create a conditional time preset that is available in the time range picker. You could, however, create a search macro to give you the same effect. Here is the search I wrote for the macro:
[search * | head 1 | eval tnow=now() | eval myTime=strftime(tnow,"%w") | eval earliest=if(myTime=6 OR myTime=0 OR myTime=1,"@w5+8h","-1d@d+8h") | eval latest=if(myTime=6 OR myTime=0 OR myTime=1,"@w5+17h","-1d@d+17h") | fields earliest,latest | format "(" "(" "" ")" "OR" ")" ]
I named the macro PreviousBusinessDay. You can use it in a search like this:
`PreviousBusinessDay` search terms here | piped | commands | here...
It should accomplish the meat of what you want, but unfortunately I don't know how to put this kind of functionality inside the timerangepicker presets. Hopefully this will help out at least a little until another solution can be found.
Also I should add, just in case anyone needs it, how to create and use a search macro.
The newly created macro can be used by using enclosing the macro name in accent ( ` ) characters (the character that shares the a key with the tilde (~) on the keyboard), like this: `PreviousBusinessDay`.
Docs on search macros can be found here
Just in case you need to know, use Splunk's relative time modifiers to specify the earliest and latest times for your new time range preset. For example, if you want to set the earliest time to "yesterday at 8:00 am", use this: -1d@d+8h. An example latest time of "yesterday at 5:00 pm" would be -1d@d+17h.
Some documentation and examples of relative time modifiers can be found here.