Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to create table based on TRUE result?

bomran
Explorer
‎03-20-2018 07:25 AM

I'm trying to create a query that will show me {stuff} that's happening outside of 'typical' working hours (i.e. Sat/Sun, Outside of 9 to 5 with a couple hours grace).

I am using the below query to create what's essentially a boolean value (starting with day only) and I want to return a Table based on 1/True

index="<some_index>" 
| eval day_of_week=strftime(_time,"%A") 
| eval is_outside=case(day_of_week == "Saturday" OR day_of_week == "Sunday", "1",
0=0, "0") 
| where is_outside == "1"

This creates a field that looks like something I can work with. I'm just not sure how to return a table with only "1" values

I've tried things along the lines of the below to no avail.

| eval test=if(day_of_week, [ table action ], "")

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-20-2018 07:33 AM

@bomran, you should filter the results upfront rather than getting all the data and then applying filter only for Saturday or Sunday. Try the following search.

index="<some_index>"  date_wday="saturday" OR date_wday="sunday"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-20-2018 07:33 AM

@bomran, you should filter the results upfront rather than getting all the data and then applying filter only for Saturday or Sunday. Try the following search.

index="<some_index>"  date_wday="saturday" OR date_wday="sunday"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

bomran
Explorer
‎03-20-2018 07:36 AM

Nice, I didn't know about date_wday. Much easier, thanks.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-20-2018 09:34 AM

Filtering results upfront in the base search would be faster as well. 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

bomran
Explorer
‎03-20-2018 07:26 AM

Nevermind, I'm having one of those days.

| where is_outside == "1" works.

Happy to know if there are better ways of doing this, if not I'll post this as an answer.

0 Karma
Reply
Solved! Jump to solution

tiagofbmm
Influencer
‎03-20-2018 07:33 AM

I think you could filter those right away instead of getting all events and the filter, like this:

index="<some_index>" 
    [| makeresults 
    | eval date_wday="saturday" 
    | append 
        [| makeresults 
        | eval date_wday="sunday"] 
    | return 2 date_wday]
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...