Hi, I had 3 shift in a day, and the last shift from this night to the morning tomorrow. I want i can collect logs of this shift and count it. My SPL here:
Base Search here
| eval date_hour=strftime(_time,"%H")
| eval date=strftime(_time,"%d/%m")
| eval shift=case(date_hour>7 AND date_hour<15, "Shift 1", date_hour>14 AND date_hour<22, "Shift 2", date_hour>22 OR date_hour<8 , "Shift 3")
| stats count by a, b, date, shift
| chart sum(count) by shift, date
| addtotals
I'm using 24h format. The Shift 3 in case command does not work well. I missed the time between 0h-8h of next day for shift 3 of the day that I'm checking.
Subtract 8 hours from the time when determining which shift the time is from
| eval date_hour=strftime(_time-(8*60*60),"%H")
| eval date=strftime(_time-(8*60*60),"%d/%m")
Thank you, but I don't think so. The result are not right 😄 btw, I got this statistics, and I want to make an addition from 1 to 2. This will be the right results
Can you show your search which produced these results?