Solved: Re: To find the day for include/exclude weekends i...

smanojkumar · ‎10-16-2023

Hi There!

I would like to include/exclude weekend in the search, So i had created the dropdown for that, I'm getting error in the searches,

My Time format is
2023-10-15T13:11:20.000+05:30

My dropdown is

<input type="radio" token="weekends" searchWhenChanged="true">
<label>Weekends</label>
<choice value="NOT (day_of_week="saturday" OR day_of_week="sunday")">Exclude Weekends</choice>
<choice value="day_of_week="*"">Include Weekends</choice>
<default>NOT (day_of_week="saturday" OR day_of_week="sunday")</default>
<initialValue>NOT (day_of_week="saturday" OR day_of_week="sunday")</initialValue>
</input>

My search is

`compliance("`console`", now(), -15d@d, mcafee,*, virus_, *, *, *)`

| eval day_of_week = lower(strftime(_time,"%A"))
| where NOT (day_of_week="saturday" OR day_of_week="sunday")
| chart count by virus_global
| sort virus_global

Thanks!

somesoni2 · ‎10-16-2023

Your filter to include weekends is "day_of_week="*"". The asterisk as wildcard doesn't work with "where" command. So either change your search to replace "where" with "search" OR change your include weekend filter.

Either Change search to:

`compliance("`console`", now(), -15d@d, mcafee,*, virus_, *, *, *)`
| eval day_of_week = lower(strftime(_time,"%A"))
| search NOT (day_of_week="saturday" OR day_of_week="sunday")
| chart count by virus_global
| sort virus_global

OR change radio button to:

<input type="radio" token="weekends" searchWhenChanged="true">
  <label>Weekends</label>
  <choice value="NOT (day_of_week=&quot;saturday&quot; OR day_of_week=&quot;sunday&quot;)">Exclude Weekends</choice>
  <choice value="true()">Include Weekends</choice>
  <default>NOT (day_of_week="saturday" OR day_of_week="sunday")</default>
  <initialValue>NOT (day_of_week="saturday" OR day_of_week="sunday"). 
  </initialValue>
</input>

View solution in original post

somesoni2 · ‎10-16-2023

Your filter to include weekends is "day_of_week="*"". The asterisk as wildcard doesn't work with "where" command. So either change your search to replace "where" with "search" OR change your include weekend filter.

Either Change search to:

`compliance("`console`", now(), -15d@d, mcafee,*, virus_, *, *, *)`
| eval day_of_week = lower(strftime(_time,"%A"))
| search NOT (day_of_week="saturday" OR day_of_week="sunday")
| chart count by virus_global
| sort virus_global

OR change radio button to:

<input type="radio" token="weekends" searchWhenChanged="true">
  <label>Weekends</label>
  <choice value="NOT (day_of_week=&quot;saturday&quot; OR day_of_week=&quot;sunday&quot;)">Exclude Weekends</choice>
  <choice value="true()">Include Weekends</choice>
  <default>NOT (day_of_week="saturday" OR day_of_week="sunday")</default>
  <initialValue>NOT (day_of_week="saturday" OR day_of_week="sunday"). 
  </initialValue>
</input>

smanojkumar · ‎10-17-2023

Hi @somesoni2 ,
Thanks for your response!

It works, Also is that possible to change the time range picker value as a token based on some conditions

If present day is "Monday" and if user selects the option "Exclude weekend", the time range picker should looks for the data on friday
If user selects the option "Include weekend", the time range picker should be yesterday

Thanks in Advance!

To find the day for include/exclude weekends in search

other

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)