- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- No date_wday from U.F. collecting windows event lo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was collecting windows event logs using agent less Splunk server through remote WMI calls and the "sourcetype=WMI:WinEventLog:*" _raw data had a date format like this "20111020135801.037162"
Splunk indexed the data with the customary date formats to include date_wday
I have recently switched to U.F. collection and the locally collected and forwarded "sourcetype=WinEventLog:*" _raw data has a date format like this "10/20/11 2:08:42.000 PM" which does not include the date_wday.
I am assuming that this date format is preprocessed at the U.F. before sending.
Some of my reports are dependent on the day of the week because maintenance night is Wednesday.
How do I get date_wday and the others back into my U.F. “sourcetype=WinEventLog:*" data?
By the way, I am also collecting WMI data locally on the U.F. and the date format is not preprocessed at the U.F. so the date formats are derived correctly during indexing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This (unfortunately) seems to be more or less expected behaviour, as per the response received from support in this question: http://splunk-base.splunk.com/answers/30822/date_hour-not-present-in-wineventlogs
As you can see on the same page, there are workarounds you can use for getting date_wday in other ways instead.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This (unfortunately) seems to be more or less expected behaviour, as per the response received from support in this question: http://splunk-base.splunk.com/answers/30822/date_hour-not-present-in-wineventlogs
As you can see on the same page, there are workarounds you can use for getting date_wday in other ways instead.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is Great Stuff
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For getting date_wday using strftime, use the %A directive. Like this:
... | eval date_wday = strftime(_time, "%A")
For more strftime directives, see for instance http://strftime.org/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn,
I saw your other post for date_hour. Could I trouble you to help with the code for date_wday. Pretty Please, Splunk Master!!!
Mike H.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks this was very helpful
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
