How to add work week date in Splunk query (or) how...

samadhuazad · ‎07-08-2023

how to add work week date in splunk query (or) how to convert date to work week ?

gcusello · ‎07-08-2023

you can use the solution from @yuanliu to analyze only days from Monday to Friday, that's perfect.

If you want also to consider holydays and time out of working time, you have to use a solution like the one I described in this answer: https://community.splunk.com/t5/Splunk-Search/How-to-write-query-for-including-non-business-hours-an...

Ciao.

Giuseppe

yuanliu · ‎07-08-2023

Unclear what the real requirements are. By work week, I suppose you mean Monday to Friday (common numeric representation 1 to 5). Is there an intention/designation for dates that fall outside work week? Or is the intention to add a marker "workweek" to each date that falls in a work week?

If you just want the day of week, strftime is sufficient

| eval weekday = strftime(_time, "%w")

If you want to mark dates within work weeks, you can create a new field for this:

| eval weekday = strftime(_time, "%w")
| eval isworkweek = if(0 < weekday and weekday < 6, weekday, null())

There are a million other ways the question can be interpreted.

How to add work week date in Splunk query (or) how to convert date to work week?

subsearch

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!