How to write query for including non business hour...

avinasa · ‎06-28-2022

Hi ,

I need a query for including non business hours and weekends

gcusello · ‎06-29-2022

if you want toexclude only non working hours and weekends, you could use the solution from @smurf .

If instead you want to manage also holydays, you have to create a lookup containing all the days in a year, called e.g. cal.csv with two columns:

Day,
Type.

For the Day column choose a forma and use always the same.

For the Type column, I usually use three values:

0 for working day,
1 for halp working day
2 for holydays.

in this way you can insert in your search the condition:

| eval Day=strftime(_time,"%d/%m/%Y") 
| lookup cal.csv Day OUTPUT Type 
| eval Hour=strftime(_time,"%H") 
| eval Minute=strftime(_time,"%M") 
| search Type=2 OR (Type=1 (Hour>14 OR (Hour<7 AND Minute<45))) OR (Type=0 (Hour>20 OR (Hour<8 AND Minute<45)))

I prefrered also created a macro do do this.

Ciao.

Giuseppe

smurf · ‎06-28-2022

Hi,

| eval date_hour = strftime(_time, "%k"), date_wday = strftime(_time, "%A") 
| search date_wday IN ("saturday", "sunday") OR (date_hour > 18 AND date_hour < 7)

change the times to your likings. usually the date_* fields are included, so you might not need the eval at all.

How to write query for including non business hours and weekends

eval

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

How to write query for including non business hours and weekends

eval

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases