Splunk Search

Get data from the last 2 business days

younesboumaaz
Engager

I'm setting an alert that will run everdy business day at 9AM and triggers only if the sum of a field is 0 for 2 consecutive business day.

To do that, I want to set my time range for my search to return events from the last two business days.

For example, if it is Monday, it will return data for Thursday and Friday, if it is Tuesday, it will return data for Friday and Monday.

I tried to use "earliest" and "latest" at the beginning of my search  but I can't get it to work....

Any Help would be welcome ! 🙂

Labels (1)
0 Karma
1 Solution

younesboumaaz
Engager

Thank you for your response! Indeed, it would work if only date_wday was in my data... But no worries, it inspired me, and I worked on it to finally find a solution!

I've set my time range to "6 last days" : 

index=yourindex
| timechart span=1d sum(NbrHashOK) as sommehash 
| fillnull value=0 sommehash 
| eval 
Jour=strftime(_time, "%A %d %B %Y"),
day_of_week = strftime(_time,"%A"),
now=strftime(now(),"%A") , 
test=case(now="Monday" AND (day_of_week="Thursday" OR day_of_week="Friday"),"OK",
now="Tuesday" AND (day_of_week="Friday" OR day_of_week="Monday"),"OK",
now="Wednesday" AND (day_of_week="Monday" OR day_of_week="Tuesday"),"OK",
now="Thursday" AND (day_of_week="Tuesday" OR day_of_week="Wednesday"),"OK",
now="Friday" AND (day_of_week="Wednesday" OR day_of_week="Thursday"),"OK",
1=1,0) 
| where test="OK" 
| stats sum(sommehash) as test_sommehash values(Jour) as jour

 

View solution in original post

0 Karma

lydiapal_splunk
Splunk Employee
Splunk Employee

Hi! 

Here's a solution that will work if your data has the default field "date_wday" extracted (see docs here). Although it is a default field (extracted automatically), you should read the docs before using this field. If this field is not available, you would need some other logic to determine the weekday for each event.

index=yourindex earliest=-4d@d latest=-0d@d date_wday IN ("monday","tuesday","wednesday","thursday","friday")
| eventstats latest(date_wday) as last_weekday
| eval previous_working_day=case(last_weekday="monday","friday",last_weekday="tuesday","monday",last_weekday="wednesday","tuesday",last_weekday="thursday","wednesday",last_weekday="friday","thursday")
| where date_wday=last_weekday OR date_wday=previous_working_day
... rest of your search...

Basically the search will look back last 4 full days (as on Monday it will have to look back for Thursday-Friday).

It will filter to only look at weekdays, determine last week day, and based on this, determine the previous week day. Then it will filter to only show those last two weekdays.

Hope this helps! 😊

Phoebe

younesboumaaz
Engager

Thank you for your response! Indeed, it would work if only date_wday was in my data... But no worries, it inspired me, and I worked on it to finally find a solution!

I've set my time range to "6 last days" : 

index=yourindex
| timechart span=1d sum(NbrHashOK) as sommehash 
| fillnull value=0 sommehash 
| eval 
Jour=strftime(_time, "%A %d %B %Y"),
day_of_week = strftime(_time,"%A"),
now=strftime(now(),"%A") , 
test=case(now="Monday" AND (day_of_week="Thursday" OR day_of_week="Friday"),"OK",
now="Tuesday" AND (day_of_week="Friday" OR day_of_week="Monday"),"OK",
now="Wednesday" AND (day_of_week="Monday" OR day_of_week="Tuesday"),"OK",
now="Thursday" AND (day_of_week="Tuesday" OR day_of_week="Wednesday"),"OK",
now="Friday" AND (day_of_week="Wednesday" OR day_of_week="Thursday"),"OK",
1=1,0) 
| where test="OK" 
| stats sum(sommehash) as test_sommehash values(Jour) as jour

 

0 Karma

lydiapal_splunk
Splunk Employee
Splunk Employee

Also to note that there must be events on the "last working day" for this search to work.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...