Is it possible to extract the name of the day and ...

Notinocrunch · ‎11-17-2014

Assuming all my eventdate fields are in the following format: dd/mm/yyyy i.e 12/06/2014

Is it possible to work with the eventdate field in ways such as the following:

Return all events that occured on a Monday
Return all events that occured in June

lguinn2 · ‎11-17-2014

Yes, like this

yoursearchhere
| eval dayofweek = strftime(_time,"%A")
| eval month = strftime(_time,"%m")
| where month=6 AND dayofweek="Monday"

This method does not use the text fields in your input - it actually uses the normalized timestamp that Splunk creates when it parses the incoming data. This is more reliable if you have data coming from multiple timezones, etc.

Notinocrunch · ‎11-17-2014

@Iguinn the timestamp when you import your data is different to the eventdate that the actual event occured on though right? For example, if I import a csv file today that contains records for the past year, I want my search to search on the eventdate withni the CSV and not the day I upload my data.

lguinn2 · ‎11-18-2014

The timestamp (_time) should be the time of the data within the CSV. You should set that up as part of bringing your data into Splunk. Splunk also keeps the time that the data was indexed (_indextime), but that field is rarely used.

If your timestamp does not correspond to the dates within the CSV, you are doing it wrong. If your CSV has headers, you might find this page in the documentation useful: Extract data from files with headers

Is it possible to extract the name of the day and month from an event date field in the format dd/mm/yyyy?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio