Search code examples
splunksplunk-query

splunk and how to do alerting on the first/last business day

Splunk cron job does not provide a way for running scheduled queries on last and first business days of a month.

In that case I need to provide the data in the query and pass it to alerting condition.

For example: I need to check each last business day if a file has been delivered. So an ideal alerting condition is: count < 1 AND is_last_business_day=1

Here I need to check if the query was executed on the last business day.

I wonder if someone can help with a query to check if it is the last business day and pass it as a field. So it can be used in alert conditions.

Solution

  • After trying many things and also using some parts of the query from Daniel here is my solution.

    I think this can be improved and may become a shorter query. I tried to write a query that is not the shortest but easy to understand.

    The | stats count in the beginning is just to give eval values in the query output even without any results. So you can test the query without any additional conditions or waiting for some dataset results.

    I have tested this query with multiple dates and it is working.

    | stats count 
| eval mydate=strptime("07/28/2022", "%m/%d/%Y")
| eval today_weekday=strftime(mydate,"%w") 
| eval today_number=strftime(mydate,"%d") 
| eval is_today_business_day=if(today_weekday>=1 and today_weekday<=5,1,0) 
``` caluclate last day of month ```
| eval last_day_number=strftime(relative_time(now(),"@month-1d"),"%d")
``` tomorrow for checking if it is a business day ```
| eval tomorrow=relative_time(mydate,"+1d@d") 
| eval tomorrow_day=strftime(tomorrow,"%w") 
| eval tomorrow_number =strftime(tomorrow,"%d") 
| eval is_tomorrow_business_day=if(tomorrow_day>=1 and tomorrow_day<=5,1,0) 
| eval is_tomorrow_day_one=if(tomorrow_number=1,1,0) 
| eval is_today_in_last_3days=if(today_number>last_day_number-3,1,0)
``` is today a business day AND is today in the last 3 days of month and ( is tomorrow not a businessday OR is tomorrow day one of next month ```
| eval is_today_last_business_day=if(is_today_business_day=1 and is_today_in_last_3days=1 and (is_tomorrow_business_day!=1 OR is_tomorrow_day_one=1),1,0)