https://community.splunk.com/t5/Splunk-Search/No-date-wday-from-U-F-collecting-windows-event-logs/m-p/95701#M24689 <P>This is Great Stuff</P> <P>Thanks</P> Thu, 20 Oct 2011 21:08:56 GMT hartfoml 2011-10-20T21:08:56Z https://community.splunk.com/t5/Splunk-Search/No-date-wday-from-U-F-collecting-windows-event-logs/m-p/95696#M24684 <P>I was collecting windows event logs using agent less Splunk server through remote WMI calls and the "sourcetype=WMI:WinEventLog:*" _raw data had a date format like this "20111020135801.037162"<BR /> Splunk indexed the data with the customary date formats to include date_wday</P> <P>I have recently switched to U.F. collection and the locally collected and forwarded "sourcetype=WinEventLog:*" _raw data has a date format like this "10/20/11 2:08:42.000 PM" which does not include the date_wday.</P> <P>I am assuming that this date format is preprocessed at the U.F. before sending.</P> <P>Some of my reports are dependent on the day of the week because maintenance night is Wednesday.</P> <P>How do I get date_wday and the others back into my U.F. “sourcetype=WinEventLog:*" data?</P> <P>By the way, I am also collecting WMI data locally on the U.F. and the date format is not preprocessed at the U.F. so the date formats are derived correctly during indexing.</P> Thu, 20 Oct 2011 19:20:24 GMT https://community.splunk.com/t5/Splunk-Search/No-date-wday-from-U-F-collecting-windows-event-logs/m-p/95696#M24684 hartfoml 2011-10-20T19:20:24Z https://community.splunk.com/t5/Splunk-Search/No-date-wday-from-U-F-collecting-windows-event-logs/m-p/95697#M24685 <P>This (unfortunately) seems to be more or less expected behaviour, as per the response received from support in this question: <A href="http://splunk-base.splunk.com/answers/30822/date_hour-not-present-in-wineventlogs">http://splunk-base.splunk.com/answers/30822/date_hour-not-present-in-wineventlogs</A></P> <P>As you can see on the same page, there are workarounds you can use for getting <CODE>date_wday</CODE> in other ways instead.</P> Thu, 20 Oct 2011 19:29:49 GMT https://community.splunk.com/t5/Splunk-Search/No-date-wday-from-U-F-collecting-windows-event-logs/m-p/95697#M24685 Ayn 2011-10-20T19:29:49Z https://community.splunk.com/t5/Splunk-Search/No-date-wday-from-U-F-collecting-windows-event-logs/m-p/95698#M24686 <P>Thanks this was very helpful</P> Thu, 20 Oct 2011 19:35:57 GMT https://community.splunk.com/t5/Splunk-Search/No-date-wday-from-U-F-collecting-windows-event-logs/m-p/95698#M24686 hartfoml 2011-10-20T19:35:57Z https://community.splunk.com/t5/Splunk-Search/No-date-wday-from-U-F-collecting-windows-event-logs/m-p/95699#M24687 <P>Ayn,</P> <P>I saw your other post for date_hour. Could I trouble you to help with the code for date_wday. Pretty Please, Splunk Master!!!</P> <P>Mike H.</P> Mon, 28 Sep 2020 10:00:26 GMT https://community.splunk.com/t5/Splunk-Search/No-date-wday-from-U-F-collecting-windows-event-logs/m-p/95699#M24687 hartfoml 2020-09-28T10:00:26Z https://community.splunk.com/t5/Splunk-Search/No-date-wday-from-U-F-collecting-windows-event-logs/m-p/95700#M24688 <P>For getting <CODE>date_wday</CODE> using <CODE>strftime</CODE>, use the %A directive. Like this:</P> <PRE><CODE>... | eval date_wday = strftime(_time, "%A") </CODE></PRE> <P>For more <CODE>strftime</CODE> directives, see for instance <A href="http://strftime.org/">http://strftime.org/</A></P> Thu, 20 Oct 2011 19:56:57 GMT https://community.splunk.com/t5/Splunk-Search/No-date-wday-from-U-F-collecting-windows-event-logs/m-p/95700#M24688 Ayn 2011-10-20T19:56:57Z https://community.splunk.com/t5/Splunk-Search/No-date-wday-from-U-F-collecting-windows-event-logs/m-p/95701#M24689 <P>This is Great Stuff</P> <P>Thanks</P> Thu, 20 Oct 2011 21:08:56 GMT https://community.splunk.com/t5/Splunk-Search/No-date-wday-from-U-F-collecting-windows-event-logs/m-p/95701#M24689 hartfoml 2011-10-20T21:08:56Z