In Splunk you can create your correlation searches based on Holiday, Day off and Business hours.
You need 2 Lookup Files.
The first one is holiday_lookup, which is for Holidays and should be filled exactly according to the format I specify. I have also uploaded a sample CSV file that you can use as an example.
The right format is : Year-Month-Day
The second one is hours_lookup, which should contain the business hours formatted according to the specified format. I have also uploaded a sample CSV file that you can use as an example.
Your Search | ....
| eval date=strftime(_time, "%Y-%m-%d")
| eval day_of_week=strftime(_time, "%A")
| eval hours=strftime(_time, "%H")
| lookup holiday_lookup date output holiday_description
| lookup hours_lookup hours output is_business_hours
| eval is_Holiday=if(isnotnull(holiday_description), "Yes", "No")
| eval is_day_off=if(day_of_week=="Thursday","Yes",if(day_of_week=="Friday","Yes","No"))
| eval is_business_hours=if(isnotnull(is_business_hours),"Yes","No")
Note: You must put this at the end of your commands. Also, for simplicity, you can use a macro for this search.
In my example I used Thursday and Friday
| eval is_day_off=if(day_of_week=="Thursday","Yes",if(day_of_week=="Friday","Yes","No"))