Hello
Looking at the scheduled report delivery, there is no option to exclude days in a longer time range or limit the report to a specific time frame.
Can you point me in the right direction of creating 2 reports:
1 - daily that contains events between 9 AM and 6 PM
2 - monthly that contains events between 9 AM and 6 PM excluding weekends (so Monday to Friday)
Splunk version: 6.3.1
Thank you in advance.
Like this:
sourcetype=foo
| eval date_hour=strftime(_time, "%H") | eval date_wday = strftime(_time, "%w")
| search date_hour>=9 date_hour<=18 date_wday>=1 date_wday<=5
This also worked for me on Splunk 6.5.2.:
source=source (date_hour>=9 date_hour<=18) (date_wday!=sunday date_wday!=saturday)
You can use following for your daily report (assuming you run the report daily to create report of yesterday's data)
index=yourindex sourcetype=yoursourcetype earliest=-1d@d+9h latest=@d-6h | your reporting commands
Use this for your monthly report (for previous month)
index=yourindex sourcetype=yoursourcetype earliest=-1mon@mon latest=@mon date_hour>=9 date_hour<=18 NOT (date_wday=saturday OR date_wday=sunday) | your reporting commands
When using your search i had missing events.
what if the time is between 9:30 to 18:30?
Like this:
sourcetype=foo
| eval date_hour=strftime(_time, "%H") | eval date_wday = strftime(_time, "%w")
| search date_hour>=9 date_hour<=18 date_wday>=1 date_wday<=5
Thank you. This works.
You can use date_mday and date_hour to filter your scheduled searches:
Like this:
sourcetype=foo date_hour>=9 date_hour<=18 (date_wday=monday OR date_wday=tuesday OR date_wday=wednesday OR date_wday=thursday OR date_wday=friday)
For some reason using your string i only get 1 event per day and that is not ok.