Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Compare the time for the execution

praveenkpatidar
Explorer
‎08-10-2016 04:16 PM

Hello Champions,

I come across a very complex logic to tag jobs on its start time.

We have one calculated value, it can be Weekly or Daily based on Job Run start time.

Weekly= If the Job Start time is Saturday 4AM to Monday 6:PM
Daily = for remaining days in week.

If its date comparison we can easily do that. we can have cascaded if then else to check days and then time. Is there any smart way to do that ?

Thanks
Praveen

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎08-10-2016 04:38 PM

Assuming the field name is job_start_date and it's value is string. try like this

your base search | eval job_start_epoch=strptime(job_start_date,"%d/%m/%y %H:%M:%S") | eval dayOfWeek=lower(strftime(job_start_epoch,"%a")) | eval hour=tonumber(strftime(job_start_epoch,"%H") ) 
eval Type=if(dayOfWeek="sun" OR (dayOfWeek="sat" AND hour>=4) OR (dayOfWeek="mon" AND hour<=16 ),"Weekly","Daily"
0 Karma
Reply

sundareshr
Legend
‎08-10-2016 04:34 PM

Assuming this is a scheduled job that runs at different time, try add this to your search. If job start time is a field in you data, you can replace the now() with strptime of field

your base search |  eval tag=if(now()>relative_time(now(), "@w6+4h") AND now()<relative_time(now(), "@w1+6h"), "Weekly", "Daily")
0 Karma
Reply

praveenkpatidar
Explorer
‎08-10-2016 04:32 PM

I think the answer should be

Convert the number of week and time in 24 hour. Combine them %w%H

if its more then 604(Saturday04AM) and less then 218(Monday6PM) then its weekly.
Else its daily

0 Karma
Reply

somesoni2
Revered Legend
‎08-10-2016 04:22 PM

What is the format of field job start time?

0 Karma
Reply

praveenkpatidar
Explorer
‎08-10-2016 04:28 PM

@samesoni2

%d/%m/%y %H:%M:%s

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...