How to write query for including non business hour...

avinasa · ‎06-28-2022

Hi ,

I need a query for including non business hours and weekends

gcusello · ‎06-29-2022

if you want toexclude only non working hours and weekends, you could use the solution from @smurf .

If instead you want to manage also holydays, you have to create a lookup containing all the days in a year, called e.g. cal.csv with two columns:

Day,
Type.

For the Day column choose a forma and use always the same.

For the Type column, I usually use three values:

0 for working day,
1 for halp working day
2 for holydays.

in this way you can insert in your search the condition:

| eval Day=strftime(_time,"%d/%m/%Y") 
| lookup cal.csv Day OUTPUT Type 
| eval Hour=strftime(_time,"%H") 
| eval Minute=strftime(_time,"%M") 
| search Type=2 OR (Type=1 (Hour>14 OR (Hour<7 AND Minute<45))) OR (Type=0 (Hour>20 OR (Hour<8 AND Minute<45)))

I prefrered also created a macro do do this.

Ciao.

Giuseppe

smurf · ‎06-28-2022

Hi,

| eval date_hour = strftime(_time, "%k"), date_wday = strftime(_time, "%A") 
| search date_wday IN ("saturday", "sunday") OR (date_hour > 18 AND date_hour < 7)

change the times to your likings. usually the date_* fields are included, so you might not need the eval at all.

How to write query for including non business hours and weekends

eval

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

How to write query for including non business hours and weekends

eval

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine