Reporting
Highlighted

How can I set a report to run that includes events from 1 or 3 days prior based on the current day of the week?

Path Finder

I have a report that I'd like to create but I need to set the earliest clause based on the current day of the week. So for example. On Mondays I need to set earliest to -3d at 07:30:00 (So records from Friday @ 7:30am onward are captured). The rest of the days of the week I would like to set it to -1d at 07:30:00.

I have the logic figured out on how to determine the day of the week, but things go sideways on me when I specify the earliest clause.

0 Karma
Highlighted

Re: How can I set a report to run that includes events from 1 or 3 days prior based on the current day of the week?

Motivator

to find current day of the week use like below

| eval DayOfWeek=strftime(_time, "%A")

0 Karma
Highlighted

Re: How can I set a report to run that includes events from 1 or 3 days prior based on the current day of the week?

Path Finder

Right. I have that part.... More specifically.....

| eval start=if( (strftime(Now(),"%a") == "Mon"), "-3d0", "-1d") | eval rtime=strftime(relativetime(now(), start),"%m/%d/%Y:07:30:00") | where earliest=r_time

However, it's not finding any results even thought I know they exist.

0 Karma
Highlighted

Re: How can I set a report to run that includes events from 1 or 3 days prior based on the current day of the week?

Super Champion

I think what you may have to do is set earliest=-3d@d and then add in the logistics to filter out based on the current day.

|eval filter=if(relative_time(now(),"%w")=1,relative_time(now(),"-3d@d+7h+30m"),relative_time(now(),"-1d@d+7h+30m"))|where _time>=filter

View solution in original post

Highlighted

Re: How can I set a report to run that includes events from 1 or 3 days prior based on the current day of the week?

Path Finder

I think you are close.... I adapted what you wrote to the following....

index="myindex" | eval start=if( (strftime(Now(),"%a") == "Mon"), "-3d@d+7h+30m", "-10d@d+7h+30m") | eval rtime=relativetime(now(), start) | eval srtime=strftime(rtime,"%m/%d/%Y:%X") | where _time >= rtime | table eventID, _time, rtime

but now I seem to be getting everything.... Looking at time and rtime they are of different formats...

time = 2017-04-25 19:59:00
r
time = 1502022600.000000

Is that why??

0 Karma
Highlighted

Re: How can I set a report to run that includes events from 1 or 3 days prior based on the current day of the week?

Motivator

add this before where condition | eval rtime=strftime(rtime,"%Y-%m-%d %H:%M:%S)

0 Karma
Highlighted

Re: How can I set a report to run that includes events from 1 or 3 days prior based on the current day of the week?

Path Finder

Very strange. Now I've got nothing.... But the formats are matching..
....

0 Karma
Highlighted

Re: How can I set a report to run that includes events from 1 or 3 days prior based on the current day of the week?

Super Champion

time is in epoch, but displays in human-readable. if you were to add `|eval time=timeit should display time as epoch, as well.
try changing
strftime(now(),"%a"), torelative_time(now(),"%a")` in your start eval

0 Karma
Highlighted

Re: How can I set a report to run that includes events from 1 or 3 days prior based on the current day of the week?

Path Finder

cmerriman... That seems to have done the trick!!

Thank you both!!

0 Karma
Highlighted

Re: How can I set a report to run that includes events from 1 or 3 days prior based on the current day of the week?

SplunkTrust
SplunkTrust

Try like this

index=foo sourcetype=bar [| gentimes start=-1 | eval earliest=if(lower(strftime(now(),"%a"))="mon",relative_time(now(),"-3d@d+7h+30m"),relative_time(now(),"-1d@d+7h+30m") | table earliest  ]   | rest of the search
0 Karma