Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

excluding holidays and weekends a count of days with events and a count of total days excluding weekends and holidays

omgwut56k
Path Finder
‎01-13-2016 12:48 PM

I need to get a count of possible days an event could be happening while excluding weekends and holidays, for example

index=physical date_wday!="saturday" date_wday!="sunday"

| WHERE holiday!=*
| eval day_of_swipe=(date_month + " "+ date_mday + " "+ date_wday )

| stats count(dvc_name) as swipes_per_day by user,day_of_swipe

| eventstats dc(day_of_swipe) as work_days
| eventstats dc(day_of_swipe) as days_swiped by nick
| eval perc_present=round((days_swiped/work_days*100))

eventstats is giving me the total number of days being search and not the excluded, I need to get the total number of possible working days m-f and excluding any holidays are being identified with a lookup table and filtered

Any ideas?

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎01-13-2016 02:51 PM

Try this

index=physical date_wday!="saturday" date_wday!="sunday" 
| eval Date=strftime(_time,"%d-%m-%Y") | search NOT [| inputlookup holidays.csv | table holiday | rename holiday as Date]
| eval day_of_swipe=(date_month + " "+ date_mday + " "+ date_wday ) 
| stats count(dvc_name) as swipes_per_day by user,day_of_swipe 
| eventstats dc(day_of_swipe) as work_days
| eventstats dc(day_of_swipe) as days_swiped by nick 
| eval perc_present=round((days_swiped/work_days*100))
Reply

omgwut56k
Path Finder
‎01-14-2016 06:41 AM

EXCELLENT! Thank you kind sir.

0 Karma
Reply

omgwut56k
Path Finder
‎01-14-2016 08:40 AM

Bonus points if you can solve this one.

I have my results which are correct for a single month span. I would like to run this against the previous year and see the results in 1 month buckets. Can you point me to a solution?

Thank you!!!

0 Karma
Reply

somesoni2
Revered Legend
‎01-13-2016 01:38 PM

Do you have the holiday lookup containing dates of holidays??

0 Karma
Reply

omgwut56k
Path Finder
‎01-13-2016 02:29 PM

I do and it is working correctly.

holidays.csv

holiday,type,holiday_description
25-12-2015,global,christmas
16-02-2015,global,presidents day

transforms.conf
[holidays]
filename = holidays.csv
min_matches = 1

props.conf
EVAL-holiday = strftime(_time,"%d-%m-%Y")
LOOKUP-isaholiday = holidays holiday OUTPUTNEW

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...