Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can we filter our query in days like Monday to Friday and calculate their average value?

sabasiddiqui
Loves-to-Learn
‎05-09-2023 09:01 PM

How can we filter our query in days like Monday to Friday and calculate their average value. For eg, I am getting data through python script which is running every 5 minute. To calculate month to week and month to day data, which requires data from monday to friday. How can we filter or extract data from the same?

Labels (1)
Labels
0 Karma
Reply

TrangCIC81
Communicator
‎05-10-2023 09:29 PM

 

To filter your data to only include weekdays (Monday to Friday) and then calculate their average value, you can use the following steps:

  1. Use Splunk's strftime function to extract the day of the week from the timestamp in your data. For example, if your timestamp field is called timestamp, you can extract the day of the week using the following query:

    | eval day=strftime(timestamp, "%w")

    This will create a new field called day that contains the day of the week as a number (0 for Sunday, 1 for Monday, 2 for Tuesday, and so on).

  2. Filter your data to only include weekdays (Monday to Friday) by using the where command. For example:

    | where day >= 1 AND day <= 5

    This will filter your data to only include events that occurred on a weekday (Monday to Friday).

  3. Calculate the average value of your data by using the stats command. For example, if your value field is called value, you can calculate the average value using the following query:

    | stats avg(value) as avg_value

    This will calculate the average value of your data for the selected time range and weekday filter.

    Putting it all together, your final query might look something like this:

    <your search> | eval day=strftime(timestamp, "%w") | where day >= 1 AND day <= 5 | stats avg(value) as avg_value

    This will filter your data to only include weekdays (Monday to Friday) and calculate their average value. Note that you will need to replace <your search> with your actual search that retrieves the data from your Python script.

    Hope this helps.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-10-2023 03:06 PM

There are some fields, which are often indexed for a data source called date_* - you can see the docs about these here

https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Propsconf#Timestamp_extraction_configuratio...

See the definition of the parameter

ADD_EXTRA_TIME_FIELDS

If these are extracted then you can simply use date_wday, which will be the full name of the day of the week, which means you can query directly for

your query... date_wday IN ("monday","tuesday","wednesday","thursday","friday")
...

and do your splits by this field

Reply

yeahnah
Motivator
‎05-10-2023 04:48 PM

Nice, I like this method, @bowesmana 

Tags (1)
0 Karma
Reply

yeahnah
Motivator
‎05-09-2023 09:43 PM

Hi @sabasiddiqui 

This is not possible using the Time picker UI.  The easiest way (I'm aware of) is to search all the data for the whole period, then filter out the weekend days.  For example...

 

... your query ...
| eval day=strftime(_time, "%a")
| where NOT match(day,"Sat|Sun")
| fields - day
| stats avg(x) ... and so on ...

 

If you provided some examples, this could possibly be optimised a bit, but as a starting point that's how I'd do it.

Hope it helps

Reply

yuanliu
SplunkTrust
SplunkTrust
‎05-10-2023 03:28 AM

In the same line,

... your query ...
| where NOT strftime(_time, "%a") IN ("Sat", "Sun")
| stats avg(x) ... and so on ...

String comparison is slightly faster than regex. 

0 Karma
Reply

yeahnah
Motivator
‎05-10-2023 01:43 PM

Cheers @yuanliu, that's good to know.  Always like efficiency wins 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...