I'm trying to create a query that will show me {stuff} that's happening outside of 'typical' working hours (i.e. Sat/Sun, Outside of 9 to 5 with a couple hours grace).
I am using the below query to create what's essentially a boolean value (starting with day only) and I want to return a Table based on 1/True
index="<some_index>"
| eval day_of_week=strftime(_time,"%A")
| eval is_outside=case(day_of_week == "Saturday" OR day_of_week == "Sunday", "1",
0=0, "0")
| where is_outside == "1"
This creates a field that looks like something I can work with. I'm just not sure how to return a table with only "1" values
I've tried things along the lines of the below to no avail.
| eval test=if(day_of_week, [ table action ], "")
@bomran, you should filter the results upfront rather than getting all the data and then applying filter only for Saturday or Sunday. Try the following search.
index="<some_index>" date_wday="saturday" OR date_wday="sunday"
@bomran, you should filter the results upfront rather than getting all the data and then applying filter only for Saturday or Sunday. Try the following search.
index="<some_index>" date_wday="saturday" OR date_wday="sunday"
Nice, I didn't know about date_wday. Much easier, thanks.
Filtering results upfront in the base search would be faster as well. 🙂
Nevermind, I'm having one of those days.
| where is_outside == "1"
works.
Happy to know if there are better ways of doing this, if not I'll post this as an answer.
I think you could filter those right away instead of getting all events and the filter, like this:
index="<some_index>"
[| makeresults
| eval date_wday="saturday"
| append
[| makeresults
| eval date_wday="sunday"]
| return 2 date_wday]