Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create table based on TRUE result?

bomran
Explorer
‎03-20-2018 07:25 AM

I'm trying to create a query that will show me {stuff} that's happening outside of 'typical' working hours (i.e. Sat/Sun, Outside of 9 to 5 with a couple hours grace).

I am using the below query to create what's essentially a boolean value (starting with day only) and I want to return a Table based on 1/True

index="<some_index>" 
| eval day_of_week=strftime(_time,"%A") 
| eval is_outside=case(day_of_week == "Saturday" OR day_of_week == "Sunday", "1",
0=0, "0") 
| where is_outside == "1"

This creates a field that looks like something I can work with. I'm just not sure how to return a table with only "1" values

I've tried things along the lines of the below to no avail.

| eval test=if(day_of_week, [ table action ], "")

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-20-2018 07:33 AM

@bomran, you should filter the results upfront rather than getting all the data and then applying filter only for Saturday or Sunday. Try the following search.

index="<some_index>"  date_wday="saturday" OR date_wday="sunday"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-20-2018 07:33 AM

@bomran, you should filter the results upfront rather than getting all the data and then applying filter only for Saturday or Sunday. Try the following search.

index="<some_index>"  date_wday="saturday" OR date_wday="sunday"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

bomran
Explorer
‎03-20-2018 07:36 AM

Nice, I didn't know about date_wday. Much easier, thanks.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-20-2018 09:34 AM

Filtering results upfront in the base search would be faster as well. 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

bomran
Explorer
‎03-20-2018 07:26 AM

Nevermind, I'm having one of those days.

| where is_outside == "1" works.

Happy to know if there are better ways of doing this, if not I'll post this as an answer.

0 Karma
Reply
Solved! Jump to solution

tiagofbmm
Influencer
‎03-20-2018 07:33 AM

I think you could filter those right away instead of getting all events and the filter, like this:

index="<some_index>" 
    [| makeresults 
    | eval date_wday="saturday" 
    | append 
        [| makeresults 
        | eval date_wday="sunday"] 
    | return 2 date_wday]
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...