Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find the first saturday of every month?

vpurushottam
Explorer
‎03-20-2019 06:08 AM

Hello,

I am currently stuck with finding the first Saturday of every month. Below is a screenshot of what i currently have:
alt text

So the query that i am working on extracts the number for each each day of the month and creates an mv field and then i work with these values to create a weekly record. And each day of each week for each month.

The issue: As you can see the month starts on Friday which corresponds to week 1 and in the next row you can see that 4th is Monday which lies in 2nd week of the the month. So as of now what my query does is extracts and add the value of Monday to week 1, which is wrong.

What I am looking for: I came up with a solution where i will check the first value of the mv field and extract the date from it. See if this date is less than or equal to 7 and then compare this value with the first Saturday of the month. if this date value is greater than date value of first Saturday i will add another value to mv field ("00 NR Month 0000")

Can anyone help me with a query to find the first Saturday of the month. And also will mvappend work here because while the search goes i observed that mv field gets sorted automatically. So i was assuming when i append the new field (if possible) then it will get automatically sorted.

Thank you in advance. 🙂

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎03-20-2019 01:21 PM

You can use something like this to find the first saturday of a month

| gentimes start=-1 | eval month=mvrange(1,13) | table month | mvexpand month | eval month="05 ".replace("0".month,".*(\d\d)$","\1")." 2019" 
| eval firstSaturday=strftime(relative_time(strptime("01 ".month,"%d %m %Y"),"@mon@w+6d"),"%A %F %T")

Here everything before | eval firstSaturday.. is the generate sample data with date in format dd mm YYYY. Update the time format in strftime/strptime function per yours.

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎03-20-2019 01:21 PM

You can use something like this to find the first saturday of a month

| gentimes start=-1 | eval month=mvrange(1,13) | table month | mvexpand month | eval month="05 ".replace("0".month,".*(\d\d)$","\1")." 2019" 
| eval firstSaturday=strftime(relative_time(strptime("01 ".month,"%d %m %Y"),"@mon@w+6d"),"%A %F %T")

Here everything before | eval firstSaturday.. is the generate sample data with date in format dd mm YYYY. Update the time format in strftime/strptime function per yours.

Reply
Solved! Jump to solution

vpurushottam
Explorer
‎03-21-2019 06:04 AM

Thank you @somesoni2 for your reply but i have a query. I was able to find a way to extract first Saturday using the modifier "+w@w6". Since i am new to splunk so i don't know how different is "@mon@w+6d" from the one that i did ? Will my modifier create an issue sometime later or is it just fine ??/

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...