Dashboards & Visualizations

Is it possible to create a custom preset for "Previous Business Day" or a choice for this on a time range picker?

jgbricker
Contributor

I would like to either create a custom preset for previous business day or create a time picker choice that I could use a populating search to get the desired date. Does anyone know about feasibility on this? Do you know how?
Thanks!

ppablo
Retired

Hi @jgbricker

Did you happen to find a solution to this, or did you end up going with @wpreston's recommendation of making it into a search macro? This is an interesting topic, so just wanted to make sure this post gets resolved as it'll be useful for many other users.

wpreston
Motivator

You can do this through the Splunk UI:

  1. Go to Settings --> User Interface --> Time Ranges
  2. Click on "New"
  3. Give your time range a name and a label, then set its settings. It should show up under the presets menu or under a sub menu if you create it that way.
  4. If you want it to be used by more users than just yourself, be sure to edit it's permissions.

jgbricker
Contributor

Thanks for these tips! However the issue I'm having comes up when the current day is Monday. If I want to see Friday's data (previous business day).

In a search command we can use a case statement to set the day.
Example -
index=myindex sourcetype=something [search index=mainframe | head 1 | eval day_of_week = tonumber(strftime(now(), "%w")) |eval earliest = case(day_of_week == 0, "-2d@d", day_of_week == 1, "-3d@d", 1 == 1, "-1d@d") | fields earliest] [search index=mainframe | head 1 | eval day_of_week = tonumber(strftime(now(), "%w")) |eval latest = case(day_of_week == 0, "-1d@d", day_of_week == 1, "-2d@d", 1 == 1, "@d") | fields latest]

How do I create a custom preset or a time picker choice that would set the date based on what day it is now?

0 Karma

wpreston
Motivator

Ah, I see, sorry about that. I'm not sure how to create a conditional time preset that is available in the time range picker. You could, however, create a search macro to give you the same effect. Here is the search I wrote for the macro:

[search * | head 1 | eval tnow=now() | eval myTime=strftime(tnow,"%w") | eval earliest=if(myTime=6 OR myTime=0 OR myTime=1,"@w5+8h","-1d@d+8h") | eval latest=if(myTime=6 OR myTime=0 OR myTime=1,"@w5+17h","-1d@d+17h") | fields earliest,latest | format "(" "(" "" ")" "OR" ")" ]

I named the macro PreviousBusinessDay. You can use it in a search like this:

`PreviousBusinessDay` search terms here | piped | commands | here...

It should accomplish the meat of what you want, but unfortunately I don't know how to put this kind of functionality inside the timerangepicker presets. Hopefully this will help out at least a little until another solution can be found.

wpreston
Motivator

Also I should add, just in case anyone needs it, how to create and use a search macro.

  1. In the Splunk UI, click on Settings --> Advanced Search --> Search Macros
  2. Click on the "New" button
  3. Give the macro a name that it will be called from in the search bar. In this example, I named my macro PreviousBusinessDay
  4. Enter the search string that the macro will perform into the definition section of the form.
  5. Click save.

The newly created macro can be used by using enclosing the macro name in accent ( ` ) characters (the character that shares the a key with the tilde (~) on the keyboard), like this: `PreviousBusinessDay`.

Docs on search macros can be found here

wpreston
Motivator

Just in case you need to know, use Splunk's relative time modifiers to specify the earliest and latest times for your new time range preset. For example, if you want to set the earliest time to "yesterday at 8:00 am", use this: -1d@d+8h. An example latest time of "yesterday at 5:00 pm" would be -1d@d+17h.

Some documentation and examples of relative time modifiers can be found here.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...