- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- How to only include data for certain hours of the ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Looking at the scheduled report delivery, there is no option to exclude days in a longer time range or limit the report to a specific time frame.
Can you point me in the right direction of creating 2 reports:
1 - daily that contains events between 9 AM and 6 PM
2 - monthly that contains events between 9 AM and 6 PM excluding weekends (so Monday to Friday)
Splunk version: 6.3.1
Thank you in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
sourcetype=foo
| eval date_hour=strftime(_time, "%H") | eval date_wday = strftime(_time, "%w")
| search date_hour>=9 date_hour<=18 date_wday>=1 date_wday<=5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This also worked for me on Splunk 6.5.2.:
source=source (date_hour>=9 date_hour<=18) (date_wday!=sunday date_wday!=saturday)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use following for your daily report (assuming you run the report daily to create report of yesterday's data)
index=yourindex sourcetype=yoursourcetype earliest=-1d@d+9h latest=@d-6h | your reporting commands
Use this for your monthly report (for previous month)
index=yourindex sourcetype=yoursourcetype earliest=-1mon@mon latest=@mon date_hour>=9 date_hour<=18 NOT (date_wday=saturday OR date_wday=sunday) | your reporting commands
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When using your search i had missing events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what if the time is between 9:30 to 18:30?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
sourcetype=foo
| eval date_hour=strftime(_time, "%H") | eval date_wday = strftime(_time, "%w")
| search date_hour>=9 date_hour<=18 date_wday>=1 date_wday<=5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. This works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use date_mday and date_hour to filter your scheduled searches:
Like this:
sourcetype=foo date_hour>=9 date_hour<=18 (date_wday=monday OR date_wday=tuesday OR date_wday=wednesday OR date_wday=thursday OR date_wday=friday)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For some reason using your string i only get 1 event per day and that is not ok.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
