I was trying to find an answer for this in other threads, but unfortunately to no avail.
I'm trying to create dummy events imitating log entries.
Say I had two real log entries, one from 9/1/2016 of type "creation" (as in alert's creation) and the other one from 9/06/2016 of type "closure". What I want to do is create 4 dummy log entries of type "ongoing" in between the two (one for each day 2,3,4 and 5th of September).
Is there a way to do this? I found the "makeresults" command, but I doubt it's the right direction as I cannot think of a way to apply it to my problem.
Any help will be greatly appreciated.
To calculate days between start and complete, you can convert creation & completion dates to to epoch and then subtract. However, the events you've shared don't seem to have a time for creation/completion, so not sure how you plan to calculate "off hours" or anything related to hour of day for that matter. Given that, here's one approach to add "dummy days"
your base search | eval startdate=strptime(creation, "%-m/%-d/%Y") | eval enddate=strptime(completion, "%-m/%-d/%Y") | eval workdays=mvrange(startdate, enddate, "1d") | mvexpand workdays
To this, if you have a lookup of holidays, you can flag those dates as "off hours" and you can exclude weekends like this
... | eval dow=strftime(workdays, "%w") | where dow<6 AND dow>0
Hope this gets you started. If not, please provide more sample/complete events and desired output
To calculate days between start and complete, you can convert creation & completion dates to to epoch and then subtract. However, the events you've shared don't seem to have a time for creation/completion, so not sure how you plan to calculate "off hours" or anything related to hour of day for that matter. Given that, here's one approach to add "dummy days"
your base search | eval startdate=strptime(creation, "%-m/%-d/%Y") | eval enddate=strptime(completion, "%-m/%-d/%Y") | eval workdays=mvrange(startdate, enddate, "1d") | mvexpand workdays
To this, if you have a lookup of holidays, you can flag those dates as "off hours" and you can exclude weekends like this
... | eval dow=strftime(workdays, "%w") | where dow<6 AND dow>0
Hope this gets you started. If not, please provide more sample/complete events and desired output
Thank you so much for suggesting the use of mvrange and mvexpand! I was looking to get dummy days between each log entry and with use of mvrange, mvexpand and delta functions I was able to achieve just that 🙂
Thanks again!
please use Eventgen app for it. You can generate it in your local laptop/dev environment and then upload to Splunk web. Or try to stick a universal forwarder in your local laptop/dev environment to do it automatically to your web.
Have you looked into creating an eventgen.conf to create your dummy events yet?
I am using Web Splunk so I don't have access to .conf files I'm afraid 😕 Unless there's a way of achieving the same goal through the web UI
What are trying to accomplish with the dummy events? Perhaps there's another route to your goal without them.
I need to calculate the "time to restore / actual working hours" for a ticket based on numerous conditions:
Obviously the following conditions may overlap at times, so the only way I could think of for solving this problem was to search for "Creation", "Pending Start", "Pending End" and "Restoration" log entries and then split the days between each log entry into dummy log entries of type "Ongoing". Then I could put it all into a table and create help columns like "is_business_day", "is_pending", "is_holiday", "shift_start", "shift_end", "is_before_business_hours", "is_past_business_hours" etc with values of 0 or 1 per each log entry. This way even if two or more of the above conditions overlap (say a holiday and Pending status, they will be counted as one "off clock" time for as long as they overlap.
I hope this makes sense...
If you can think of a more straightforward solution then by all means please let me know 🙂