Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

excluding weekends and overnights from plotted results

stringbean
New Member
‎06-26-2019 05:27 AM

I'm trying to plot the average figure from a set of results, however I want to exclude weekends and overnight as the figure i'm interested in (in this case wifi clients RSSI) would be skewed as they are stored in areas with poor coverage overnight\weekends. I'm only interested in the signal strength during the day while they are in use.

How would I achieve this - my current search (which works fine but includes overnight & weekends)) looks like this:

sourcetype="clientinfo" ClientMac!=ClientMac Environment="B"
| bucket span=24h _time
| search (RSSI>-76)
| timechart span=1d avg(RSSI)

Thanks

0 Karma
Reply

niketn
Legend
‎06-26-2019 08:24 AM

@stringbean have you tried using date_wday and date_hour fields for this filtering?

Following is a run anywhere example from Splunk's _internal index which returns results from weekday i.e. excluding Saturday and Sunday and hours from 8 AM to 6 PM

index=_internal sourcetype=splunkd log_level=ERROR NOT (date_wday IN ("saturday","sunday")) AND date_hour IN (8,9,10,11,12,13,14,15,16,17,18)
| chart count as Error by date_wday date_hour
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sandeepmakkena
Contributor
‎06-26-2019 07:51 AM

| bucket span=24h _time
| eval Hour = strftime(_time,"%H")
| eval day_of_week = strftime(_time,"%A")
| search (RSSI>-76 AND RSSI!=-128) AND (day_of_week!="Saturday" AND day_of_week!="Sunday") AND (Hour >= day_starting OR Hour<= day_ending)
| timechart span=1d avg(RSSI)

This should give you what you are looking for.

0 Karma
Reply

stringbean
New Member
‎06-26-2019 08:26 AM

That seems to work, just validating the results now, thanks

0 Karma
Reply

stringbean
New Member
‎06-26-2019 06:18 AM

I've figured out how to exclude weekends using the following but still need help with overnight:

sourcetype="clientinfo" ClientMac!=ClientMac Environment="B"
| bucket span=24h _time
| eval day_of_week = strftime(_time,"%A")
| search (RSSI>-76 AND RSSI!=-128) AND (day_of_week!="Saturday" AND day_of_week!="Sunday")
| timechart span=1d avg(RSSI)

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...