How can i remove weekends from Log Times

c_krishna_gutur · ‎08-05-2017

Hi Team,

I have a scenario where the data is feeded into index on regular basis which consists of Date fields , i want to remove weekends from that date fields . How can i achieve this. for example i am having date field1 and date field2, i am subtracting field1 from field2 and getting the difference in number of days, from this result i need to exclude weekends [Saturday and Sundays]. Please help me how can i acheive this

DalJeanis · ‎08-05-2017

Sounds like the question you really want to ask is "how do I count the number of weekdays between Date1 and Date2?

| eval Day1=strftime(Date1,"%w")
| eval Day2=strftime(Date2,"%w")
| eval DaysBetween = (5*floor((Date2-Date1)/86400/7))+if(Day1<Day2,Day2-Day1,5+Day2-Day1)

This translates as 1-2) tell me what day of the week 0-7 each day is,
3) Calculate 5 days for each full 7 days, plus the difference between the start and end days, adding 5 if the end day is earlier in the week than the start day.

I'm assuming that you are NOT counting both days, so for example the number of days between Tuesday and Thursday is 2. If you want that to be 3 instead, then add 1 more.

I'm also assuming that the endpoints will never be on weekends, and you don't care about holidays. If those aren't true, it will have to be a lot more complex.

mattymo · ‎08-05-2017

The solution you choose has a lot to do with how you have ingested your data and what fields are extracted.

When the sourcetype is properly extracting a timestamp, Splunk can identify a day field called date_wday.

If you have this field you can filter these days out in your search with something like NOT (date_wday=Saturday OR date_wday=Sunday)

A lot will depend on your sourcetype configuration in props.conf, so if you share a sample event we can assist further

- MattyMo

How can i remove weekends from Log Times

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life