Splunk Search

Need calculate a count of each "Su M Tu W Th F Sa" between two dates

cpm003
Path Finder

Hello,

i´m looking to get this result between each start /end time.

hope you could help me :disappointed_face:

For example:

Start timeEndtimeSuMTuWThFSa
2021/07/01 2021/07/172222333
2021/07/05 2021/07/202332222

 

Thanks in advance

Labels (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| eval _raw="start,end
2021/07/01,2021/07/17
2021/07/05,2021/07/20"
| multikv forceheader=1
| table start end



| eval start=strptime(start,"%Y/%m/%d")
| eval end=strptime(end,"%Y/%m/%d")
| eval days=floor((end-start)/(24*60*60))+1
| fieldformat start=strftime(start,"%Y/%m/%d")
| fieldformat end=strftime(end,"%Y/%m/%d")
| eval days=mvrange(1,days+1)
| eval days=mvmap(days,start+((days-1)*24*60*60))
| eval days=mvmap(days,strftime(days,"%a"))
| streamstats count as row 
| stats count by row start end days
| eval dates=start."!".end
| xyseries dates days count
| eval start=mvindex(split(dates,"!"),0)
| eval end=mvindex(split(dates,"!"),1)
| fields - dates
| table start end Sun Mon Tue Wed Thu Fri Sat

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| eval _raw="start,end
2021/07/01,2021/07/17
2021/07/05,2021/07/20"
| multikv forceheader=1
| table start end



| eval start=strptime(start,"%Y/%m/%d")
| eval end=strptime(end,"%Y/%m/%d")
| eval days=floor((end-start)/(24*60*60))+1
| fieldformat start=strftime(start,"%Y/%m/%d")
| fieldformat end=strftime(end,"%Y/%m/%d")
| eval days=mvrange(1,days+1)
| eval days=mvmap(days,start+((days-1)*24*60*60))
| eval days=mvmap(days,strftime(days,"%a"))
| streamstats count as row 
| stats count by row start end days
| eval dates=start."!".end
| xyseries dates days count
| eval start=mvindex(split(dates,"!"),0)
| eval end=mvindex(split(dates,"!"),1)
| fields - dates
| table start end Sun Mon Tue Wed Thu Fri Sat

cpm003
Path Finder

Hello @ITWhisperer 

Seems to be working nice but i need print additional fields to this result such "Event ID",  "Owner" , "Assigned Group", how could i  get them?

thanks in advance

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could use this as a subsearch on a join with your original data.

0 Karma

cpm003
Path Finder

Thanks for you support, really appreciated

0 Karma

efika
Communicator

Hi @Anonymous 

Try use foreach :

| makeresults 1 
| eval Su=2 
| eval M=2 
| eval Tu=2 
| eval W=2 
| eval Th=2 
| eval F=3 
| eval Sa=3 
| eval total=0 
| foreach Su,M,Tu,W,Th,F,Sa 
    [ eval total=total+<<FIELD>>]
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...