Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to distribute events across non standard business day timerange

marcoscala
Builder
‎01-23-2014 03:16 AM

Hi!
Our customer (broadcaster...) needs to aggregare events "by day" where their "business day" spans from 6:00AM to 5:59AM of the following day.

We have to modify all our 5-10 days reports of events to reflect this custom aggregation.

Any hints or Suggestions?!

Thanks a lot!

Marco

Tags (3)
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎01-23-2014 04:31 AM

You could subtract 6 hours from each event time, so when you do a by day, it thinks events at 7AM really happened at 1AM.

your_search | eval _time = _time - (3600 * 6) | do_other_timecharty things

This will move all events from 6AM - 5:59AM to 12AM - 11:59PM, thereby allowing your timecharts to split by day.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-23-2014 04:27 AM

Here's a thought:

index=_internal | eval business_day_time = relative_time(_time, "-6h") | bucket business_day_time span=1d | stats count by business_day_time | fieldformat business_day_time = strftime(business_day_time, "%+")
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...