Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create after hour report?

Johnsonbc
Explorer
‎12-20-2022 08:38 AM

I am trying to create an after hour query with specific time frames 1. Mon 0000-0700 and 1900-2400, 2. Tue 0000-0700 and 1900-2400, 3. Wed 0000-0700 and 1900-2400, Thur 0000-0700 and 1900-2400, Fri 0000-0700 and 1900-2400, Sat 0000-2400, and Sun 0000-2400. I have my Cron Express set for 43 10*** 

| sort - _time

| eval user=lower(user)

|eval Day=strftime(_time,”%A”)

|eval Hour=strftime(_time,”%H”)

|eval Date=strftime(_time,”Y-%m-%d”)

| search Hour IN (19,20,21,22,23,24,0,1,2,3,4,5,6,7)

| table Date, Day, Hour, “User Account”

I like the way this is displayed but I cannot figure out how to combine this query with a weekend (FRI 1900-Mon 0700) query. Or will I have to have two different queries? Once completed this will make a good dashboard. 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-20-2022 08:52 AM

Use OR to test for weekend days or weekday hours.

| sort - _time
| eval user=lower(user)
| eval Day=strftime(_time,”%A”)
| eval Hour=strftime(_time,”%H”)
| eval Date=strftime(_time,”Y-%m-%d”)
| search Day IN (Saturday Sunday) OR Hour IN (19,20,21,22,23,24,0,1,2,3,4,5,6,7)
| table Date, Day, Hour, “User Account”

 

---
If this reply helps you, Karma would be appreciated.
Reply

Johnsonbc
Explorer
‎12-20-2022 08:59 AM

That work but it is not capturing 24 hours on Sat & Sun (0000-2400). It is only doing my week day Hours IN 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-20-2022 11:15 AM

It appears to capture the right times for me.

richgalloway_0-1671563710116.png

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Johnsonbc
Explorer
‎12-21-2022 03:52 AM

I think the reason it was not working for me is because I am running a PIVOT. I was having issues running "Earliest & Latest" and other time & date commands.

Reply

Johnsonbc
Explorer
‎12-20-2022 11:28 AM

It was not working for me so, I created a dashboard with (Mon-Fri) so far. 

| sort - _time

| eval user=lower(user)

|eval Day=strftime(_time,”%A”)

|eval Hour=strftime(_time,”%H”)

|eval Date=strftime(_time,”Y-%m-%d”)

| search Day IN (Monday) Hour IN (0,1,2,3,4,5,6,19,20,21,22,23)

| stats sum(user)

This gives me the number of user that log on after hours Mon-Fri and can drill down if need to. Still working on the weekend hours.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...