lullu

lullu is a pretty cool user. Here are a bunch of searches created by lullu

detect time problem : (index time and time being really different)

sourcetype=*
| eval diff=_indextime-_time| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")
| table indextime _time diff sourcetype
| where lat!=0
| timechart avg(diff) max(diff) by sourcetype

purpose:

requirements:

comments:

this search simply graph the time difference between the event time and the indexing time by sourcetype : this helps troubleshoot sourcetypes time issues.

calculate duration without week end

| makeresults count=5 
| eval aging=random()%25 
| eval end=_time 
| eval start=end-(aging*86400) 
| eval range=mvrange(start, end, 86400) 
| convert ctime(range) timeformat="%+" 
| eval BusinessDays=mvcount(mvfilter(NOT match(range,"(Sun|Sat).*")))

purpose:

calculate a duration excluding week end days

requirements:

comments:

if you have a start and end time : calculate the duration in business days, excluding week end. using mvrange.