Hey, This forum has been so very helpful... I really cannot thank the posters here enough! However, I have a question I have not been able to find an answer to. I have a search that I am trying to gather statistics for the previous day, but only the previous weekday. So if today is Monday I want my search to reflect information from Friday. If it is Tuesday I wnat the search to reflect information from Monday. So I am trying to essentially do something along the lines of: "mysearch" earliest=if(strftime(now(), "%A")=="Monday", relative_time(now(),"@w5"), relative_time(now(),"-d@d") ) latest=if(strftime(now(), "%A")=="Monday", relative_time(now(), "@w6"), relative_time(now(),"@d")) | chart count by host However, splunk does not like this syntax. Is there something I am missing or a simple way of doing this? Thank you very much for your help!! ... View more

I am trying to report a statistic over the last X Business Days (7 or 30) by multiple hosts. The result chart should span that interval, but not include weekends. I've gotten my search to ignore weekends, and can even get a chart that does not have weekends, but unlike a timechart it is not sorted by date. Here is basically what I am doing: "My Search" earliest=* latest=* NOT date_wday=saturday NOT date_wday=sunday | timechart span=1d avg(Field) by host If I do that search then I get weekend dates in my timechart, even though there are no statistics for the weekend days themselves. An alternative theme I've tried is variations on: "My Search" earliest=* latest=* NOT date_wday=saturday NOT date_wday=sunday | eval Day = strftime(_time, "%D") | chart avg(Field) over Day by host However, all of the variations I have tried on that theme leave the days out of date order. I am brand new to Splunk, so if anyone can point me in the right direction to some way report accross a timespan while removing weekends... I would be very, very grateful. Thank you! ... View more