Hi Ciao,

below is the query I want to modify to look for the events which indexed only on Monday and TuesDay.

index=finance_preprod (date_wday="monday" OR date_wday="tuesday") sourcetype=finance_salesRecon_app_PPE source=frs_integration_engine_PPE message="WEEKLY Feed :*Route file encryption transfer has completed"
| eval event_week_day = strftime(_time,"%w"), event_hour = strftime(_time,"%H"), current_week_day = strftime(now(),"%w"), current_hour = strftime(now(),"%H")
| where event_week_day<=2 AND event_hour<=14
| stats count as weekly_feeds

I tried with your answer, but its not working. Could you please help me to modify the query?

Hi @in22915110,
your search can be easier:

index=finance_preprod (date_wday="monday" OR date_wday="tuesday") sourcetype=finance_salesRecon_app_PPE source=frs_integration_engine_PPE message="*WEEKLY Feed :Route file encryption transfer has completed" date_hour<=14
| stats count as weekly_feeds

Ciao.
Giuseppe

Hi @gcusello,
Your query is not helping me to search the required events, could you please share me the document reference for (date_wday="monday" OR date_wday="tuesday") or date_hour - all implicit fields??

are these implicit fields derived from event indexed datetime?

Thanks,

Hi @in22915110,
if you run your search in verbose mode, in the interesting fields you can find many fields as date_wday or date_hour that are automatically extracted from _time by default, so you don't need to use eval command to extract them.
You can find more infos at https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Usedefaultfields .

Why (date_wday="monday" OR date_wday="tuesday") date_hour<=14 cannot replace | eval event_week_day = strftime(_time,"%w"), event_hour = strftime(_time,"%H") | where event_week_day<=2 AND event_hour<=14 for you?
what's the problem? can I help you?

Ciao.
Giuseppe

Hi @gcusello,

Yes, the implicit variables are not working for me,

I just tried to replace the event_hour with date_hour and the query fails to fetch the events.

Please find the screenshots below for your reference
https://ibb.co/crf9Lrr
https://ibb.co/JCKf9fj

Please let me know if you find any issue in the query

Hi @in22915110,
It's very strange, because if I run

index=wineventlog (date_wday="monday" OR date_wday="tuesday") date_hour<="14"

I have results! (in Fast, Smart and Verbose Mode)
Only for my curiosity, have the search with date_hour results in Verbose Mode?

Anyway, coming back to your question: if your search gives results, what's the problem to save it in a dashboard panel?

Ciao.
Giuseppe

Hi @in22915110,
I found in https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Usedefaultfields
that "Only events that have timestamp information in them as generated by their respective systems will have date_* fields".
probably this is the problem!
how are the timestamps of your events generated?
Anyway, coming back to your question: if your search gives results, what's the problem to save it in a dashboard panel?

ciao.
Giuseppe

Hi @gcusello,

Thanks for giving some clarity on the question. I am able to save the result as dashboard panel.

I am already filtering the events for Monday and Tuesday. I was just checking if there is a better way to achieve this.

Thanks for your help, I will try to add timestamp to the events and try.

Thanks.

@gcusello

When I run the search in verbose mode I dont see date_hour or date_wday in the interesting fields, may that is the reason??

If so, how these fields can be added to the list?