Hi Splunkers, hope you guys are all well. I'm trying to do an adaptation of the search in this post (thanks to @elliotproebstel and @javiergn !) https://community.splunk.com/t5/Getting-Data-In/How-...
See more...
Hi Splunkers, hope you guys are all well. I'm trying to do an adaptation of the search in this post (thanks to @elliotproebstel and @javiergn !) https://community.splunk.com/t5/Getting-Data-In/How-to-calculate-total-Business-hours-in-between-weekend-days/td-p/304838 I'm working in UTC and in my case I'm interested in counting the the hours between 1 PM and 1 AM (next day). It works great for other teams where hours are in the same day, but I'm finding the next day tricky. This is what I have so far: | eval start=strptime(reported_time,"%b %d %Y %H:%M:%S") | eval end=strptime(processed_time,"%b %d %Y %H:%M:%S") | eval minute = mvrange(0, (end - start), 60) | mvexpand minute | eval _time = start + minute | eval myHour = strftime(_time,"%H") | eval myMinute = strftime(_time,"%H") | eval myDay = strftime(_time,"%A") | eval myMonth = strftime(_time,"%b") | where myDay != "Saturday" AND myDay != "Sunday" AND myHour >= 13 AND myHour <=1 | stats count as durationInMinutes by ticket,reported_time,processed_time | eval duration = tostring(durationInMinutes*60, "duration") | eval SLO=if(durationInMinutes>60,"SLO Fail","SLO Achieved") | table ticket,reported_time,processed_time,duration,SLO | sort by - duration I want my table to show: ticket number, reported time (when it was reported), processed time (when it got worked by an engineer), duration (time between reported time and processed time, counting only hours between 1 PM and 1 AM next day) and whether the SLO was met or not. Thanks for the help!! Wheresmydata.