Want to display my result only for this time (0-12...

rajhemant26 · ‎03-18-2019

Hello, everyone.
Want to display my result only for this time (0-12:00 UTC) for all the weekdays (Mon-Fri ).

marycordova · ‎03-18-2019

add this to your base search

date_wday IN (monday,tuesday,wednesday,thursday,friday) date_hour>=0 date_hour<=12

you might need to tweak the <=12 depending on your requirements

index=dcsdjc host=awer THREAD_WALL_MS!=null date_wday IN (monday,tuesday,wednesday,thursday,friday) date_hour>=0 date_hour<=12 
| bin _time span=1h 
| streamstats count as Req by host, _time 
| eval RequestsPerMin=Req/60 
| eval RequestsPerSec=RequestsPerMin/60 
| stats avg(RequestsPerMin) as AvgRequestsPerSec, max(RequestsPerMin) as MaxRequestsPerSec, p95(RequestsPerMin) as P95RequestsPerSec by host 
| eval AvgRequestsPerSec=round(AvgRequestsPerSec,2), MaxRequestsPerSec=round(MaxRequestsPerSec,2), P95RequestsPerSec=round(P95RequestsPerSec,2) 
| sort -MaxRequestsPerSec, -P95RequestsPerSec

@marycordova

pkeenan87 · ‎03-18-2019

You should be able to do this with the date_hour & date_wday fields. You should just need to add this to the first part of your search:

date_hour>=0 date_hour<12 (date_wday=monday OR date_wday=tuesday OR date_wday=wednesday OR date_wday=thursday OR 
date_wday=friday)

Full query

index=dcsdjc host=awer THREAD_WALL_MS!=null date_hour>=0 date_hour<12 (date_wday=monday OR date_wday=tuesday OR 
date_wday=wednesday OR date_wday=thursday OR date_wday=friday) | bin _time span=1h
| streamstats count as Req by host, _time
| eval RequestsPerMin=Req/60
| eval RequestsPerSec=RequestsPerMin/60
| stats avg(RequestsPerMin) as AvgRequestsPerSec, max(RequestsPerMin) as MaxRequestsPerSec, p95(RequestsPerMin) as 
P95RequestsPerSec by host |eval AvgRequestsPerSec=round(AvgRequestsPerSec,2), 
MaxRequestsPerSec=round(MaxRequestsPerSec,2), P95RequestsPerSec=round(P95RequestsPerSec,2)|sort -MaxRequestsPerSec, - 
P95RequestsPerSec

Want to display my result only for this time (0-12:00 UTC time) .

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Join the Conversation

Want to display my result only for this time (0-12:00 UTC time) .

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant