Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

excluding holidays and weekends a count of days with events and a count of total days excluding weekends and holidays

omgwut56k
Path Finder
‎01-13-2016 12:48 PM

I need to get a count of possible days an event could be happening while excluding weekends and holidays, for example

index=physical date_wday!="saturday" date_wday!="sunday"

| WHERE holiday!=*
| eval day_of_swipe=(date_month + " "+ date_mday + " "+ date_wday )

| stats count(dvc_name) as swipes_per_day by user,day_of_swipe

| eventstats dc(day_of_swipe) as work_days
| eventstats dc(day_of_swipe) as days_swiped by nick
| eval perc_present=round((days_swiped/work_days*100))

eventstats is giving me the total number of days being search and not the excluded, I need to get the total number of possible working days m-f and excluding any holidays are being identified with a lookup table and filtered

Any ideas?

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎01-13-2016 02:51 PM

Try this

index=physical date_wday!="saturday" date_wday!="sunday" 
| eval Date=strftime(_time,"%d-%m-%Y") | search NOT [| inputlookup holidays.csv | table holiday | rename holiday as Date]
| eval day_of_swipe=(date_month + " "+ date_mday + " "+ date_wday ) 
| stats count(dvc_name) as swipes_per_day by user,day_of_swipe 
| eventstats dc(day_of_swipe) as work_days
| eventstats dc(day_of_swipe) as days_swiped by nick 
| eval perc_present=round((days_swiped/work_days*100))
Reply

omgwut56k
Path Finder
‎01-14-2016 06:41 AM

EXCELLENT! Thank you kind sir.

0 Karma
Reply

omgwut56k
Path Finder
‎01-14-2016 08:40 AM

Bonus points if you can solve this one.

I have my results which are correct for a single month span. I would like to run this against the previous year and see the results in 1 month buckets. Can you point me to a solution?

Thank you!!!

0 Karma
Reply

somesoni2
Revered Legend
‎01-13-2016 01:38 PM

Do you have the holiday lookup containing dates of holidays??

0 Karma
Reply

omgwut56k
Path Finder
‎01-13-2016 02:29 PM

I do and it is working correctly.

holidays.csv

holiday,type,holiday_description
25-12-2015,global,christmas
16-02-2015,global,presidents day

transforms.conf
[holidays]
filename = holidays.csv
min_matches = 1

props.conf
EVAL-holiday = strftime(_time,"%d-%m-%Y")
LOOKUP-isaholiday = holidays holiday OUTPUTNEW

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...