Splunk Search

Get data from the last 2 business days

younesboumaaz
Engager

I'm setting an alert that will run everdy business day at 9AM and triggers only if the sum of a field is 0 for 2 consecutive business day.

To do that, I want to set my time range for my search to return events from the last two business days.

For example, if it is Monday, it will return data for Thursday and Friday, if it is Tuesday, it will return data for Friday and Monday.

I tried to use "earliest" and "latest" at the beginning of my search  but I can't get it to work....

Any Help would be welcome ! 🙂

Labels (1)
0 Karma
1 Solution

younesboumaaz
Engager

Thank you for your response! Indeed, it would work if only date_wday was in my data... But no worries, it inspired me, and I worked on it to finally find a solution!

I've set my time range to "6 last days" : 

index=yourindex
| timechart span=1d sum(NbrHashOK) as sommehash 
| fillnull value=0 sommehash 
| eval 
Jour=strftime(_time, "%A %d %B %Y"),
day_of_week = strftime(_time,"%A"),
now=strftime(now(),"%A") , 
test=case(now="Monday" AND (day_of_week="Thursday" OR day_of_week="Friday"),"OK",
now="Tuesday" AND (day_of_week="Friday" OR day_of_week="Monday"),"OK",
now="Wednesday" AND (day_of_week="Monday" OR day_of_week="Tuesday"),"OK",
now="Thursday" AND (day_of_week="Tuesday" OR day_of_week="Wednesday"),"OK",
now="Friday" AND (day_of_week="Wednesday" OR day_of_week="Thursday"),"OK",
1=1,0) 
| where test="OK" 
| stats sum(sommehash) as test_sommehash values(Jour) as jour

 

View solution in original post

0 Karma

lydiapal_splunk
Splunk Employee
Splunk Employee

Hi! 

Here's a solution that will work if your data has the default field "date_wday" extracted (see docs here). Although it is a default field (extracted automatically), you should read the docs before using this field. If this field is not available, you would need some other logic to determine the weekday for each event.

index=yourindex earliest=-4d@d latest=-0d@d date_wday IN ("monday","tuesday","wednesday","thursday","friday")
| eventstats latest(date_wday) as last_weekday
| eval previous_working_day=case(last_weekday="monday","friday",last_weekday="tuesday","monday",last_weekday="wednesday","tuesday",last_weekday="thursday","wednesday",last_weekday="friday","thursday")
| where date_wday=last_weekday OR date_wday=previous_working_day
... rest of your search...

Basically the search will look back last 4 full days (as on Monday it will have to look back for Thursday-Friday).

It will filter to only look at weekdays, determine last week day, and based on this, determine the previous week day. Then it will filter to only show those last two weekdays.

Hope this helps! 😊

Phoebe

younesboumaaz
Engager

Thank you for your response! Indeed, it would work if only date_wday was in my data... But no worries, it inspired me, and I worked on it to finally find a solution!

I've set my time range to "6 last days" : 

index=yourindex
| timechart span=1d sum(NbrHashOK) as sommehash 
| fillnull value=0 sommehash 
| eval 
Jour=strftime(_time, "%A %d %B %Y"),
day_of_week = strftime(_time,"%A"),
now=strftime(now(),"%A") , 
test=case(now="Monday" AND (day_of_week="Thursday" OR day_of_week="Friday"),"OK",
now="Tuesday" AND (day_of_week="Friday" OR day_of_week="Monday"),"OK",
now="Wednesday" AND (day_of_week="Monday" OR day_of_week="Tuesday"),"OK",
now="Thursday" AND (day_of_week="Tuesday" OR day_of_week="Wednesday"),"OK",
now="Friday" AND (day_of_week="Wednesday" OR day_of_week="Thursday"),"OK",
1=1,0) 
| where test="OK" 
| stats sum(sommehash) as test_sommehash values(Jour) as jour

 

View solution in original post

0 Karma

lydiapal_splunk
Splunk Employee
Splunk Employee

Also to note that there must be events on the "last working day" for this search to work.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!