Splunk Search

Display table base on the if condition

syedikramulla
Explorer

Hi,

I want to count the LOGLEVEL only for weekdays.  If there's not logs then the query should return '0'.  Can you please help me to correct this query.

index="XYZ" sourcetype=Logs LOGLEVEL=ERROR OR LOGLEVEL=FATAL OR LOGLEVEL=INFO|eval Day=strftime(_time,"%w")|
eval DayType=if((Day >=0) AND (Day <=6) ,"WeeekDay","WeekEnd") | If(DayType=="WeekDay", count(LOGLEVEL=ERROR OR LOGLEVEL=FATAL OR LOGLEVEL=INFO),'0')

 

Regards,

Syed

Labels (1)
0 Karma
1 Solution

tscroggins
Influencer

@syedikramulla 

The date_wday field may already be extracted from your events, but but be mindful of time zone differences between the raw data and your Splunk settings:

index="XYZ" sourcetype=Logs (LOGLEVEL=ERROR OR LOGLEVEL=FATAL OR LOGLEVEL=INFO) date_wday!=saturday date_wday!=sunday
| timechart span=1d count

If date_wday isn't present or if you don't trust the vale:

index="XYZ" sourcetype=Logs (LOGLEVEL=ERROR OR LOGLEVEL=FATAL OR LOGLEVEL=INFO)
| eval Day=strftime(_time, "%w")
| where Day>0 AND Day<6
| timechart span=1d count

View solution in original post

syedikramulla
Explorer

thank you

tscroggins
Influencer

@syedikramulla 

The date_wday field may already be extracted from your events, but but be mindful of time zone differences between the raw data and your Splunk settings:

index="XYZ" sourcetype=Logs (LOGLEVEL=ERROR OR LOGLEVEL=FATAL OR LOGLEVEL=INFO) date_wday!=saturday date_wday!=sunday
| timechart span=1d count

If date_wday isn't present or if you don't trust the vale:

index="XYZ" sourcetype=Logs (LOGLEVEL=ERROR OR LOGLEVEL=FATAL OR LOGLEVEL=INFO)
| eval Day=strftime(_time, "%w")
| where Day>0 AND Day<6
| timechart span=1d count
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...