Re: help to exclude weekend events in a timechart

jip31 · ‎04-09-2021

hello

in the search below which displays a timechart, I stats events except the weekend

these search displays events on the last 5 days

what I would like to do in my timechart is to not display the line chart for saturday and sunday because they are equal to 0

So for example, instead having wenesday, thursday, friday, saturday and sunday in the timechart, I need to display wenesday,, thursday, friday, monday and tuesday (5 days)

is it possible to do this please??

`CPU` 
| bin _time span=5h
| eval slottime = strftime(_time, "%H%M") 
| eval week =strftime(_time, "%w") 
| where (slottime >= 900 AND slottime <= 1700) AND (week >=1 AND week <=5)
| eval cpu_range=case(process_cpu_used_percent>0 AND process_cpu_used_percent <=20,"0-20",
    process_cpu_used_percent>20 AND process_cpu_used_percent <=40,"20-40",
    process_cpu_used_percent>40 AND process_cpu_used_percent <=60,"40-60",
    process_cpu_used_percent>60 AND process_cpu_used_percent <=80,"60-80",
    process_cpu_used_percent>80 AND process_cpu_used_percent <=100,"80-100") 
| stats avg(process_cpu_used_percent) as process_cpu_used_percent by host, _time, cpu_range, SITE
| timechart span=1d dc(host) by cpu_range

ITWhisperer · ‎04-09-2021

I am not quite sure what you are trying to do here since you have a 5 hour span and a 1 day span. The 5h span will snap the _time to the start of the current hour, then 5 hours before that, and 5 hours before that, and so on. Since there are 24 hours in a day, you will have different hours for different days. Having said that, the chart will use the fact that you are using _time and try to be helpful by filling in the missing days. To get around this, you can evaluate another field that just has the date in as a string and use that as your base

| bin span=1d _time | eval date=strftime(_time,"%Y-%m-%d") | chart ... by date ...

aasabatini · ‎04-09-2021

Hi @jip31

Try this two options:

`CPU` 
| date_wday!=saturday date_wday!=sunday
| bin span=1d _time
| eval cpu_range=case(process_cpu_used_percent>0 AND process_cpu_used_percent <=20,"0-20",
    process_cpu_used_percent>20 AND process_cpu_used_percent <=40,"20-40",
    process_cpu_used_percent>40 AND process_cpu_used_percent <=60,"40-60",
    process_cpu_used_percent>60 AND process_cpu_used_percent <=80,"60-80",
    process_cpu_used_percent>80 AND process_cpu_used_percent <=100,"80-100") 
| stats avg(process_cpu_used_percent) as process_cpu_used_percent by host, _time, cpu_range, SITE
| chart dc(host) by cpu_range _time

OR

| your time chart search | eval date_wday=lower(strftime(_time,"%A")) |where NOT (date_wday=saturday OR date_wday=sunday) | fields - date_wday

I hope it can help you

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

jip31 · ‎04-09-2021

thanks but I don't understand everything

as you can see below I already exclude events which ocured the weekend

| eval slottime = strftime(_time, "%H%M") 
| eval week =strftime(_time, "%w") 
| where (slottime >= 900 AND slottime <= 1700) AND (week >=1 AND week <=5)

so your code seems to do the same things

if you look the attachment below, I dont want to display the sunday because there is no data collect for this days so it"s normal that all the timechart lines are equal to 0

what I would like to do, it's just to display in my timechart, it's the result for the last 5 opened days

https://www.cjoint.com/c/KDjqTqVupUg

But the problem is on my x axis. I will always the weekend displayed even if I exclude the weekend events in my search like in the exemple you sent me

help to exclude weekend events in a timechart

other

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!