Looking at the scheduled report delivery, there is no option to exclude days in a longer time range or limit the report to a specific time frame.
Can you point me in the right direction of creating 2 reports:
1 - daily that contains events between 9 AM and 6 PM
2 - monthly that contains events between 9 AM and 6 PM excluding weekends (so Monday to Friday)
Splunk version: 6.3.1
Thank you in advance.
You can use datemday and datehour to filter your scheduled searches:
sourcetype=foo date_hour>=9 date_hour<=18 (date_wday=monday OR date_wday=tuesday OR date_wday=wednesday OR date_wday=thursday OR date_wday=friday)
For some reason using your string i only get 1 event per day and that is not ok.
sourcetype=foo | eval date_hour=strftime(_time, "%H") | eval date_wday = strftime(_time, "%w") | search date_hour>=9 date_hour<=18 date_wday>=1 date_wday<=5
You can use following for your daily report (assuming you run the report daily to create report of yesterday's data)
index=yourindex sourcetype=yoursourcetype earliest=-1d@d+9h latest=@d-6h | your reporting commands
Use this for your monthly report (for previous month)
index=yourindex sourcetype=yoursourcetype earliest=-1mon@mon latest=@mon date_hour>=9 date_hour<=18 NOT (date_wday=saturday OR date_wday=sunday) | your reporting commands
When using your search i had missing events.
This also worked for me on Splunk 6.5.2.:
source=source (datehour>=9 datehour<=18) (datewday!=sunday datewday!=saturday)