Splunk Search

How edit my search to exclude holidays (with the help of lookup)?

saura1312
Engager
 eval dates=mvrange(strptime(insrt_date,"%Y-%m-%d"),strptime(updt_date,"%Y-%m-%d"),86400) | convert ctime(dates)  timeformat="%A" | eval dates=mvfilter(NOT match(dates,"(Saturday|Sunday)")) 

I have my search to exclude the weekends. Can someone help me with how to include lookup in my search so it excludes the days present in my holiday lookup?

0 Karma

sundareshr
Legend

Try this

eval date=mvrange(strptime(insrt_date,"%Y-%m-%d"),strptime(updt_date,"%Y-%m-%d"),86400) | convert ctime(date) as dates  timeformat="%A" | eval dates=mvfilter(NOT match(dates,"(Saturday|Sunday)")) | mvexpand date  | search NOT [| inputlookup lookupfile.csv | eval datefield=strptime(datefield, "%Y-%m-%d") | rename datefield=date | fields date]

saura1312
Engager

Can you please show me how my lookup table should look like?

0 Karma

saura1312
Engager

It is not giving me dates in a single cell of the same daterange but instead its dividing it. Please help

0 Karma

sundareshr
Legend

Your lookup table should have at least the date for the holidays in a field called datefield. The format for the dates should be %Y-%m-%d. You can have additional fields, if you choose.

0 Karma

saura1312
Engager

It is not giving me dates in a single cell of the same daterange but instead its dividing it. Please help

0 Karma

sundareshr
Legend

Not sure I understand. Can you share some samples?

0 Karma

saura1312
Engager
eval date=mvrange(strptime(insrt_date,"%Y-%m-%d"),strptime(updt_date,"%Y-%m-%d"),86400)

this will give me dates in a single row cell like below

1.  2016-09-23
     2016-09-24
     2016-09-25
     2016-09-26

Now when i put the date for the lookup to compare and exclude holidays it gives me dates in different rows like

1.  2016-09-23
2.  2016-09-24
3.  2016-09-25
4.  2016-09-26

I don't want them in different rows

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...