Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search to get the week number of the month from the given _time?

prachisaxena
Explorer
‎04-12-2016 02:01 AM

We need to extract the week number of the month for matching the SLA. Have SLA such as 2nd or 4th week of a month.
So it is needed to extract the week no from the event date.

My time format is something like below and we need to get output like "11 April 2016 is 2nd Monday of April." and "15 April is 3rd Friday of April"
eg:
_time= 2016/04/11 15:29:12

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gabriel_vasseur
Contributor
‎04-12-2016 06:04 AM

How about:

... | eval day=strftime(_time,"%d") | eval day_number=floor(day/7)+1 | eval str=strftime(_time,"%A") . " number " . day_number . " of " . strftime(_time, "%B" )

Test it and see if it does what you want. Note: you will want to tweak that to have "second" instead of "number 2", "third" instead of "number 3", etc...

View solution in original post

Reply
Solved! Jump to solution
Solution

gabriel_vasseur
Contributor
‎04-12-2016 06:04 AM

How about:

... | eval day=strftime(_time,"%d") | eval day_number=floor(day/7)+1 | eval str=strftime(_time,"%A") . " number " . day_number . " of " . strftime(_time, "%B" )

Test it and see if it does what you want. Note: you will want to tweak that to have "second" instead of "number 2", "third" instead of "number 3", etc...

Reply
Solved! Jump to solution

prachisaxena
Explorer
‎04-12-2016 08:28 AM

Hi Gabriel,

Thank you so much for answering.
However, the given query is giving me the day number of week and month as below. What i actually need is the week number. Like we have 4 weeks in a month - week1 -> day 1-7 ...... week 2 -> day 1-7

such that for _time = 2016-03-31 11:30:00 --> 31st march is 5th Thursday of March

_time=2016-03-31 11:30:02

day =31
day_number=5

str=Thursday number 5 of March

0 Karma
Reply
Solved! Jump to solution

gabriel_vasseur
Contributor
‎04-13-2016 02:05 AM

Just to be complete, here is one way to convert the day number in a rank:

... | eval day_rank=case(day_number=1,"first", day_number=2,"second", day_number=3,"third", day_number=4,"fourth", day_number=5,"fifth" ) | ...

You can then rearrange the final concatenation to use day_rank instead of day_number.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-12-2016 08:38 AM

With some additional string concatenation, above works. See this run anywhere sample (line 1 to generate data)

| gentimes start=-1 | eval _time=strptime("03/31/2016","%m/%d/%Y") | table _time 
| eval day=strftime(_time,"%d") | eval day_number=floor(day/7)+1 | eval str=strftime(_time,"%F")." is number ".day_number." ".strftime(_time,"%A").  " of month " . strftime(_time, "%B" )

Output
2016-03-31 is number 5 Thursday of month March

Reply
Solved! Jump to solution

prachisaxena
Explorer
‎04-12-2016 08:45 AM

yes, its working .. thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...