- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I calculate the date difference for two tim...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have two timestamps , both are NOT _time.
- Received Date - 09/10/16
- Processed Date - 09/14/16
I need to calculate the age of these two, but need to exclude weekends. I need something like below
base search | eval age = (Processed Date - Received date). | table age
In the above example the result should be 2, so that weekend is excluded..
It should not be 4.
I think date_wday excludes days from _time only. But for me the timestamp for calculating the age is not _time.
Please advise on how to exclude the weekends. Also, please advise on how to exclude public holidays as well. Thanks so much in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this (run anywhere sample, replace first line with your current search.
| gentimes start=-1 | eval Processdate="9/14/2016" | table Processdate| eval Receivedate="9/10/2016"
| eval dates=mvrange(strptime(Receivedate,"%m/%d/%Y"),strptime(Processdate,"%m/%d/%Y"),86400) | convert ctime(dates) timeformat="%A" | eval dates=mvfilter(NOT match(dates,"(Saturday|Sunday)")) | eval noOfDays=mvcount(dates)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this (run anywhere sample, replace first line with your current search.
| gentimes start=-1 | eval Processdate="9/14/2016" | table Processdate| eval Receivedate="9/10/2016"
| eval dates=mvrange(strptime(Receivedate,"%m/%d/%Y"),strptime(Processdate,"%m/%d/%Y"),86400) | convert ctime(dates) timeformat="%A" | eval dates=mvfilter(NOT match(dates,"(Saturday|Sunday)")) | eval noOfDays=mvcount(dates)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much. excellent.. this worked for me.. BTW, i didnt use gentimes start=-1, is it mandatory?
And how to exclude public holidays...thanks again for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This line is to generate a sample data to show the remaining processing steps. The whole thing should be replaced by your search which get the required data.
| gentimes start=-1 | eval Processdate="9/14/2016" | table Processdate| eval Receivedate="9/10/2016"
There is no in-build way to identify public holidays in Splunk, you would need to create some custom lookup with dates which are publich holidays and exclude them (not straightforward way. Don't have a ready to use solution, will need to figure that one out).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2 you're solution is fascinating. I don't use the mvrange or mvcount much. Can you explain what is happening in the eval | eval dates=mvrange(strptime(Receivedate,"%m/%d/%Y"),strptime(Processdate,"%m/%d/%Y"),86400) please
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's basically creating a multivalued field dates with arithmetic series starting with epoch value of Receivedate, ending at epoch value of Processdata, with step of 86400 (1 day in secs). I think it would be clearer if you can run this query
| gentimes start=-1 | eval Processdate="9/14/2016" | table Processdate| eval Receivedate="9/10/2016" | eval dates_epoch=mvrange(strptime(Receivedate,"%m/%d/%Y"),strptime(Processdate,"%m/%d/%Y"),86400)
| convert ctime(dates_epoch) as dates_human
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2 : Do you have the solution to identify holidays yet ?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think so. As I mentioned before, for excluding public holidays, you'd need to setup a lookup table with list of holidays. You can find one here: https://gist.github.com/shivaas/4758439
Once you've your lookup table setup, say holidays.csv with column date (holiday date in format %Y-%m-%d,name (don't really care for this column), your query would be like this (using a sample data):
| gentimes start=-1 | eval Processdate="06/01/2018" | table Processdate| eval Receivedate="05/01/2018"
| eval dates=mvrange(strptime(Receivedate,"%m/%d/%Y"),strptime(Processdate,"%m/%d/%Y"),86400) | convert ctime(dates) timeformat="%A %Y-%m-%d" | eval workdays=mvfilter(NOT match(dates,[| inputlookup holidays.csv | stats values(date) as date| eval date=mvappend("(Saturday",date,"Sunday)")| eval search=mvjoin(date,"|") | table search | format "" "" "" "" "" ""])) | eval noOfDays=mvcount(dates)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for your reply.
Getting the below error :
Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') ))'.
Also, the last part, shouldn't it be mvcount(workdays) instead of mvcount(dates) ?
Thanks in advance for your reply.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
