Splunk Search

What is the command/syntax to specify a day of the week for searching?

jlkokko
Path Finder

What is the proper command/syntax to specify a day of the week for searching (converting date/timestamp)?

example: index="" sourcetype="abc" |other criteria | *only Thursdays*

Tags (3)
1 Solution

wpreston
Motivator

You can eval _time into a text day of the week and then search for that. For example, if you wanted to search for a condition over the previous month but are only interested in what happened each Thursday of that month:

index="" sourcetype="abc" | other criteria | eval DayOfWeek=strftime(_time, "%A") | search DayOfWeek="Thursday"

You can find more information on strftime and date formatting here, here and here.

Alternatively, you can set up a calculated field extraction in props.conf that performs this time transformation for you at search time and just search for DayOfWeek=Thursday in the initial part of the search or at anytime afterwards. Your props.conf extraction would look like this:

EVAL-DayOfWeek = strftime(_time, "%A")

More information on calculated fields here.

View solution in original post

wpreston
Motivator

You can eval _time into a text day of the week and then search for that. For example, if you wanted to search for a condition over the previous month but are only interested in what happened each Thursday of that month:

index="" sourcetype="abc" | other criteria | eval DayOfWeek=strftime(_time, "%A") | search DayOfWeek="Thursday"

You can find more information on strftime and date formatting here, here and here.

Alternatively, you can set up a calculated field extraction in props.conf that performs this time transformation for you at search time and just search for DayOfWeek=Thursday in the initial part of the search or at anytime afterwards. Your props.conf extraction would look like this:

EVAL-DayOfWeek = strftime(_time, "%A")

More information on calculated fields here.

somesoni2
SplunkTrust
SplunkTrust

You can utilize in-built fields like date_wday to filter your events for just Thursday. Note that this field may not be present for all data sources. In that case you can create a date_wday field from _time using strftime function.

strive
Influencer

Assuming that you need to run the search only for thursday's data

 index="" sourcetype="abc" earliest=@w4 latest=@w5

If you need to run the search every Thursday then you need to use cron_schedule.

As ppablo commented, if you can tell whether it is live or scheduled search then we can help in a better way

strive
Influencer

If your log event is
2012-01-05,28.38,28.50,28.25,28.25,362800,2.48
and you have TIME_FORMAT properly defined in your props.conf file then follow the approach that wpreston has suggested.

jlkokko
Path Finder

Thank you for the doc reference! This is not a cron'd search. I'm parsing several years worth of data but I only want to return a specific day of the week.

Data format is as such:

2012-01-05,28.38,28.50,28.25,28.25,362800,2.48

Does earliest/latest require a conversion of the date to a day first?

ppablo
Retired

Hi @jlkokko

If you're doing a live search, the following documentation on specifying time modifiers should be what you're looking for. (@strive's search will do the trick)
http://docs.splunk.com/Documentation/Splunk/6.1.2/Search/Specifytimemodifiersinyoursearch

If you're setting up a scheduled search, a cron schedule might make more sense.
http://docs.splunk.com/Documentation/Splunk/6.1.2/Report/Schedulereports#Specify_a_cron_schedule_for...

ppablo
Retired

Hi @jlkokko

Are you trying do a live search or set up a scheduled search?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...