- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How edit my search to exclude holidays (with the h...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How edit my search to exclude holidays (with the help of lookup)?
eval dates=mvrange(strptime(insrt_date,"%Y-%m-%d"),strptime(updt_date,"%Y-%m-%d"),86400) | convert ctime(dates) timeformat="%A" | eval dates=mvfilter(NOT match(dates,"(Saturday|Sunday)"))
I have my search to exclude the weekends. Can someone help me with how to include lookup in my search so it excludes the days present in my holiday lookup?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
eval date=mvrange(strptime(insrt_date,"%Y-%m-%d"),strptime(updt_date,"%Y-%m-%d"),86400) | convert ctime(date) as dates timeformat="%A" | eval dates=mvfilter(NOT match(dates,"(Saturday|Sunday)")) | mvexpand date | search NOT [| inputlookup lookupfile.csv | eval datefield=strptime(datefield, "%Y-%m-%d") | rename datefield=date | fields date]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please show me how my lookup table should look like?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is not giving me dates in a single cell of the same daterange but instead its dividing it. Please help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your lookup table should have at least the date for the holidays in a field called datefield. The format for the dates should be %Y-%m-%d. You can have additional fields, if you choose.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is not giving me dates in a single cell of the same daterange but instead its dividing it. Please help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure I understand. Can you share some samples?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eval date=mvrange(strptime(insrt_date,"%Y-%m-%d"),strptime(updt_date,"%Y-%m-%d"),86400)
this will give me dates in a single row cell like below
1. 2016-09-23
2016-09-24
2016-09-25
2016-09-26
Now when i put the date for the lookup to compare and exclude holidays it gives me dates in different rows like
1. 2016-09-23
2. 2016-09-24
3. 2016-09-25
4. 2016-09-26
I don't want them in different rows
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
