You can eval _time
into a text day of the week and then search for that. For example, if you wanted to search for a condition over the previous month but are only interested in what happened each Thursday of that month:
index="" sourcetype="abc" | other criteria | eval DayOfWeek=strftime(_time, "%A") | search DayOfWeek="Thursday"
You can find more information on strftime and date formatting here, here and here.
Alternatively, you can set up a calculated field extraction in props.conf that performs this time transformation for you at search time and just search for DayOfWeek=Thursday
in the initial part of the search or at anytime afterwards. Your props.conf extraction would look like this:
EVAL-DayOfWeek = strftime(_time, "%A")
More information on calculated fields here.
You can eval _time
into a text day of the week and then search for that. For example, if you wanted to search for a condition over the previous month but are only interested in what happened each Thursday of that month:
index="" sourcetype="abc" | other criteria | eval DayOfWeek=strftime(_time, "%A") | search DayOfWeek="Thursday"
You can find more information on strftime and date formatting here, here and here.
Alternatively, you can set up a calculated field extraction in props.conf that performs this time transformation for you at search time and just search for DayOfWeek=Thursday
in the initial part of the search or at anytime afterwards. Your props.conf extraction would look like this:
EVAL-DayOfWeek = strftime(_time, "%A")
More information on calculated fields here.
You can utilize in-built fields like date_wday to filter your events for just Thursday. Note that this field may not be present for all data sources. In that case you can create a date_wday field from _time using strftime function.
Assuming that you need to run the search only for thursday's data
index="" sourcetype="abc" earliest=@w4 latest=@w5
If you need to run the search every Thursday then you need to use cron_schedule.
As ppablo commented, if you can tell whether it is live or scheduled search then we can help in a better way
If your log event is
2012-01-05,28.38,28.50,28.25,28.25,362800,2.48
and you have TIME_FORMAT properly defined in your props.conf file then follow the approach that wpreston has suggested.
Thank you for the doc reference! This is not a cron'd search. I'm parsing several years worth of data but I only want to return a specific day of the week.
Data format is as such:
2012-01-05,28.38,28.50,28.25,28.25,362800,2.48
Does earliest/latest require a conversion of the date to a day first?
Hi @jlkokko
If you're doing a live search, the following documentation on specifying time modifiers should be what you're looking for. (@strive's search will do the trick)
http://docs.splunk.com/Documentation/Splunk/6.1.2/Search/Specifytimemodifiersinyoursearch
If you're setting up a scheduled search, a cron schedule might make more sense.
http://docs.splunk.com/Documentation/Splunk/6.1.2/Report/Schedulereports#Specify_a_cron_schedule_for...
Hi @jlkokko
Are you trying do a live search or set up a scheduled search?