Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to distribute events across non standard business day timerange

marcoscala
Builder
‎01-23-2014 03:16 AM

Hi!
Our customer (broadcaster...) needs to aggregare events "by day" where their "business day" spans from 6:00AM to 5:59AM of the following day.

We have to modify all our 5-10 days reports of events to reflect this custom aggregation.

Any hints or Suggestions?!

Thanks a lot!

Marco

Tags (3)
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎01-23-2014 04:31 AM

You could subtract 6 hours from each event time, so when you do a by day, it thinks events at 7AM really happened at 1AM.

your_search | eval _time = _time - (3600 * 6) | do_other_timecharty things

This will move all events from 6AM - 5:59AM to 12AM - 11:59PM, thereby allowing your timecharts to split by day.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-23-2014 04:27 AM

Here's a thought:

index=_internal | eval business_day_time = relative_time(_time, "-6h") | bucket business_day_time span=1d | stats count by business_day_time | fieldformat business_day_time = strftime(business_day_time, "%+")
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...