Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to only include data for certain hours of the day and certain days of the week for scheduled report delivery?

andrei1bc
Communicator
‎02-24-2016 07:16 AM

Hello

Looking at the scheduled report delivery, there is no option to exclude days in a longer time range or limit the report to a specific time frame.

Can you point me in the right direction of creating 2 reports:
1 - daily that contains events between 9 AM and 6 PM
2 - monthly that contains events between 9 AM and 6 PM excluding weekends (so Monday to Friday)

Splunk version: 6.3.1

Thank you in advance.

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-25-2016 07:12 PM

Like this:

 sourcetype=foo
| eval date_hour=strftime(_time, "%H") | eval date_wday = strftime(_time, "%w")
| search date_hour>=9 date_hour<=18 date_wday>=1 date_wday<=5

View solution in original post

Reply
Solved! Jump to solution

bchainou
New Member
‎04-28-2017 03:47 PM

This also worked for me on Splunk 6.5.2.:
source=source (date_hour>=9 date_hour<=18) (date_wday!=sunday date_wday!=saturday)

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-25-2016 07:28 PM

You can use following for your daily report (assuming you run the report daily to create report of yesterday's data)

index=yourindex sourcetype=yoursourcetype earliest=-1d@d+9h latest=@d-6h  | your reporting commands

Use this for your monthly report (for previous month)

 index=yourindex sourcetype=yoursourcetype earliest=-1mon@mon latest=@mon date_hour>=9 date_hour<=18 NOT (date_wday=saturday OR date_wday=sunday) | your reporting commands
0 Karma
Reply
Solved! Jump to solution

andrei1bc
Communicator
‎03-17-2016 06:52 AM

When using your search i had missing events.

0 Karma
Reply
Solved! Jump to solution

KChaudhary
Explorer
‎09-05-2018 07:36 AM

what if the time is between 9:30 to 18:30?

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-25-2016 07:12 PM

Like this:

 sourcetype=foo
| eval date_hour=strftime(_time, "%H") | eval date_wday = strftime(_time, "%w")
| search date_hour>=9 date_hour<=18 date_wday>=1 date_wday<=5
Reply
Solved! Jump to solution

andrei1bc
Communicator
‎03-17-2016 06:51 AM

Thank you. This works.

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎02-24-2016 07:45 AM

You can use date_mday and date_hour to filter your scheduled searches:

Like this:

sourcetype=foo date_hour>=9 date_hour<=18 (date_wday=monday OR date_wday=tuesday OR date_wday=wednesday OR date_wday=thursday OR date_wday=friday)
0 Karma
Reply
Solved! Jump to solution

andrei1bc
Communicator
‎02-24-2016 08:50 AM

For some reason using your string i only get 1 event per day and that is not ok.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...