Get Result from next day for my report

lnn2204 · ‎10-15-2021

Hi, I had 3 shift in a day, and the last shift from this night to the morning tomorrow. I want i can collect logs of this shift and count it. My SPL here:

Base Search here
| eval date_hour=strftime(_time,"%H")
| eval date=strftime(_time,"%d/%m")
| eval shift=case(date_hour>7 AND date_hour<15, "Shift 1", date_hour>14 AND date_hour<22, "Shift 2", date_hour>22 OR date_hour<8 , "Shift 3")
| stats count by a, b, date, shift
| chart sum(count) by shift, date
| addtotals

I'm using 24h format. The Shift 3 in case command does not work well. I missed the time between 0h-8h of next day for shift 3 of the day that I'm checking.

ITWhisperer · ‎10-15-2021

Subtract 8 hours from the time when determining which shift the time is from

| eval date_hour=strftime(_time-(8*60*60),"%H")
| eval date=strftime(_time-(8*60*60),"%d/%m")

lnn2204 · ‎10-15-2021

Thank you, but I don't think so. The result are not right 😄 btw, I got this statistics, and I want to make an addition from 1 to 2. This will be the right results

ITWhisperer · ‎10-16-2021

Can you show your search which produced these results?

Get Result from next day for my report

scheduled search

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!