topic Re: splunk search query to get data last two months every friday with in time range in Splunk Search https://community.splunk.com/t5/Splunk-Search/splunk-search-query-to-get-data-last-two-months-every-friday/m-p/582403#M202850 <P>You could generate a set of earliest and latest values to use with your search</P><LI-CODE lang="markup">index=_internal [| makeresults | addinfo | eval firstfriday=relative_time(info_min_time,"@w+5d+8h") | eval firstfriday=if(firstfriday&lt;info_min_time,firstfriday+(60*60*24*7),firstfriday) | eval lastfriday=relative_time(info_max_time,"@w+5d+8h+15m") | eval lastfriday=if(lastfriday&gt;info_max_time,lastfriday-(60*60*24*7),lastfriday) | eval weeks=floor((lastfriday-firstfriday)/(60*60*24*7))+1 | eval week=mvrange(0,weeks) | mvexpand week | eval earliest=firstfriday+(week*60*60*24*7) | eval latest=lastfriday-((weeks-week-1)*60*60*24*7) | fields - _time | fields earliest latest | format]</LI-CODE> Tue, 25 Jan 2022 14:49:58 GMT ITWhisperer 2022-01-25T14:49:58Z splunk search query to get data last two months every friday with in time range https://community.splunk.com/t5/Splunk-Search/splunk-search-query-to-get-data-last-two-months-every-friday/m-p/582397#M202848 <P>Hi,<BR /><BR />Splunk search query to get data last two months data.<BR />need only every Friday data in the time range for 15 mins (i.e 08 AM to 08:15 AM every friday) .<BR /><BR /><BR />example:</P><P>Date&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;fieldA<BR />21/01/2022&nbsp; &nbsp; &nbsp; value1<BR />14/01/2022&nbsp; &nbsp; &nbsp; value2<BR />07/01/2022&nbsp; &nbsp; &nbsp;value3</P><P>Can anyone pls suggest how can I achieve this?</P> Tue, 25 Jan 2022 14:10:38 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search-query-to-get-data-last-two-months-every-friday/m-p/582397#M202848 kirrusk 2022-01-25T14:10:38Z Re: splunk search query to get data last two months every friday with in time range https://community.splunk.com/t5/Splunk-Search/splunk-search-query-to-get-data-last-two-months-every-friday/m-p/582400#M202849 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/54377">@kirrusk</a>,</P><P>did you explored the timewrap command (<A href="https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Timewrap" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Timewrap</A>)?</P><P>please, try something like this:</P><LI-CODE lang="markup">index=your_index date_hour=8 date_minute&lt;16 date_wday=friday earliest=-2mon | timechart count span=1d | timewrap 1mon</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Tue, 25 Jan 2022 14:31:19 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search-query-to-get-data-last-two-months-every-friday/m-p/582400#M202849 gcusello 2022-01-25T14:31:19Z Re: splunk search query to get data last two months every friday with in time range https://community.splunk.com/t5/Splunk-Search/splunk-search-query-to-get-data-last-two-months-every-friday/m-p/582403#M202850 <P>You could generate a set of earliest and latest values to use with your search</P><LI-CODE lang="markup">index=_internal [| makeresults | addinfo | eval firstfriday=relative_time(info_min_time,"@w+5d+8h") | eval firstfriday=if(firstfriday&lt;info_min_time,firstfriday+(60*60*24*7),firstfriday) | eval lastfriday=relative_time(info_max_time,"@w+5d+8h+15m") | eval lastfriday=if(lastfriday&gt;info_max_time,lastfriday-(60*60*24*7),lastfriday) | eval weeks=floor((lastfriday-firstfriday)/(60*60*24*7))+1 | eval week=mvrange(0,weeks) | mvexpand week | eval earliest=firstfriday+(week*60*60*24*7) | eval latest=lastfriday-((weeks-week-1)*60*60*24*7) | fields - _time | fields earliest latest | format]</LI-CODE> Tue, 25 Jan 2022 14:49:58 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search-query-to-get-data-last-two-months-every-friday/m-p/582403#M202850 ITWhisperer 2022-01-25T14:49:58Z Re: splunk search query to get data last two months every friday with in time range https://community.splunk.com/t5/Splunk-Search/splunk-search-query-to-get-data-last-two-months-every-friday/m-p/582467#M202871 <P>Thanks didn't know about timewrap. Looks useful.</P> Wed, 26 Jan 2022 03:06:27 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search-query-to-get-data-last-two-months-every-friday/m-p/582467#M202871 johnhuang 2022-01-26T03:06:27Z Re: splunk search query to get data last two months every friday with in time range https://community.splunk.com/t5/Splunk-Search/splunk-search-query-to-get-data-last-two-months-every-friday/m-p/582511#M202885 <P>Can you please help to have some sample search, how to use these "earliest " and "latest" in search<BR /><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P> Wed, 26 Jan 2022 10:24:05 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search-query-to-get-data-last-two-months-every-friday/m-p/582511#M202885 kirrusk 2022-01-26T10:24:05Z Re: splunk search query to get data last two months every friday with in time range https://community.splunk.com/t5/Splunk-Search/splunk-search-query-to-get-data-last-two-months-every-friday/m-p/582514#M202887 <P>I am not sure what you are asking for here - I posted an example which uses _internal as the index - simply replace this with your index.</P> Wed, 26 Jan 2022 10:30:50 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search-query-to-get-data-last-two-months-every-friday/m-p/582514#M202887 ITWhisperer 2022-01-26T10:30:50Z