Splunk Search

Trying to get a range of dates right based on a last Saturday of the month

maximusdm
Communicator

hi there, the 1st and 3rd statement is wrong and the 2nd might be correct.
Here is what I am trying to do:

Current Month: (meaning beginning of the current MONTH up to the last SATURDAY of current's month):
          <earliest>@mon</earliest>
          <latest>now</latest>
          example: Feb 1st through 4th (previous SAT)

Month to Date: (meaning beginning of the current MONTH up to today's date):
          <earliest>@mon</earliest>
          <latest>now</latest>
          example: Feb 1st to 7 (today's date)

Year to Date: (meaning beginning of the current YEAR up to the last SATURDAY of current's month):
          <earliest>@y</earliest>
          <latest>now</latest>
          example: JAN 1st to last SATURDAY of February

Thank you

Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Here you go

Updated

Current Month: (meaning beginning of the current MONTH up to the last SATURDAY of current's month):
           <earliest>@mon</earliest>
           <latest>@w6+1d</latest>
           example: Feb 1st through 4th (previous SAT)

 Month to Date: (meaning beginning of the current MONTH up to today's date):  THIS WAS CORRECT already.
           <earliest>@mon</earliest>
           <latest>now</latest>
           example: Feb 1st to 7 (today's date)

 Year to Date: (meaning beginning of the current YEAR up to the last SATURDAY of current's month):
           <earliest>@y</earliest>
           <latest>+1mon@mon@w6+1d</latest>
           example: JAN 1st to last SATURDAY of February

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Here you go

Updated

Current Month: (meaning beginning of the current MONTH up to the last SATURDAY of current's month):
           <earliest>@mon</earliest>
           <latest>@w6+1d</latest>
           example: Feb 1st through 4th (previous SAT)

 Month to Date: (meaning beginning of the current MONTH up to today's date):  THIS WAS CORRECT already.
           <earliest>@mon</earliest>
           <latest>now</latest>
           example: Feb 1st to 7 (today's date)

 Year to Date: (meaning beginning of the current YEAR up to the last SATURDAY of current's month):
           <earliest>@y</earliest>
           <latest>+1mon@mon@w6+1d</latest>
           example: JAN 1st to last SATURDAY of February
0 Karma

maximusdm
Communicator

Wouldn't be better to use @w-1s (data up to 11:59:59 PM) instead of @w6 (Data up to 12:00:00 A.M) ?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The latest timestamp is not included in the timerange, so you will miss events that have happened at 11:59:59 PM. A better option would be to just use @w6+1d so that full saturday's data is counted. Updated the answer accordingly.

0 Karma

maximusdm
Communicator

Thanks again!

0 Karma

maximusdm
Communicator

Thank you sir.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...