Reporting
Highlighted

How to only include data for certain hours of the day and certain days of the week for scheduled report delivery?

Communicator

Hello

Looking at the scheduled report delivery, there is no option to exclude days in a longer time range or limit the report to a specific time frame.

Can you point me in the right direction of creating 2 reports:
1 - daily that contains events between 9 AM and 6 PM
2 - monthly that contains events between 9 AM and 6 PM excluding weekends (so Monday to Friday)

Splunk version: 6.3.1

Thank you in advance.

0 Karma
Highlighted

Re: How to only include data for certain hours of the day and certain days of the week for scheduled report delivery?

Motivator

You can use datemday and datehour to filter your scheduled searches:

Like this:

sourcetype=foo date_hour>=9 date_hour<=18 (date_wday=monday OR date_wday=tuesday OR date_wday=wednesday OR date_wday=thursday OR date_wday=friday)
0 Karma
Highlighted

Re: How to only include data for certain hours of the day and certain days of the week for scheduled report delivery?

Communicator

For some reason using your string i only get 1 event per day and that is not ok.

0 Karma
Highlighted

Re: How to only include data for certain hours of the day and certain days of the week for scheduled report delivery?

Esteemed Legend

Like this:

 sourcetype=foo
| eval date_hour=strftime(_time, "%H") | eval date_wday = strftime(_time, "%w")
| search date_hour>=9 date_hour<=18 date_wday>=1 date_wday<=5

View solution in original post

Highlighted

Re: How to only include data for certain hours of the day and certain days of the week for scheduled report delivery?

Communicator

Thank you. This works.

0 Karma
Highlighted

Re: How to only include data for certain hours of the day and certain days of the week for scheduled report delivery?

SplunkTrust
SplunkTrust

You can use following for your daily report (assuming you run the report daily to create report of yesterday's data)

index=yourindex sourcetype=yoursourcetype earliest=-1d@d+9h latest=@d-6h  | your reporting commands

Use this for your monthly report (for previous month)

 index=yourindex sourcetype=yoursourcetype earliest=-1mon@mon latest=@mon date_hour>=9 date_hour<=18 NOT (date_wday=saturday OR date_wday=sunday) | your reporting commands
0 Karma
Highlighted

Re: How to only include data for certain hours of the day and certain days of the week for scheduled report delivery?

Communicator

When using your search i had missing events.

0 Karma
Highlighted

Re: How to only include data for certain hours of the day and certain days of the week for scheduled report delivery?

Explorer

what if the time is between 9:30 to 18:30?

0 Karma
Highlighted

Re: How to only include data for certain hours of the day and certain days of the week for scheduled report delivery?

New Member

This also worked for me on Splunk 6.5.2.:
source=source (datehour>=9 datehour<=18) (datewday!=sunday datewday!=saturday)

0 Karma