Hi,
is it possible to specify a timeframe so that i get data for every Friday 8 PM to 9 PM for the last 3 months?
Hello,
it would be best if you can use the dates having friday and use with a lookup files.
OR
if you have a index which has last 3 months data you could get them in subsearch and filter out those days. Here it goes
sourcetype=x earliest=-3mon@mon date_hour=20 [|search index=x|bucket _time span=1d|stats min(_time) as _time by date_mday|eval Wday=strftime(_time,"%a")|where Wday="Fri"|table date_mday|dedup date_mday]|....
sourcetype=x earliest=-3mon@mon date_hour=20 date_wday="friday"|.....
i see this in splunk 6, so no need to extract any weekday part anymore.. 😄
Thanks
Hello,
it would be best if you can use the dates having friday and use with a lookup files.
OR
if you have a index which has last 3 months data you could get them in subsearch and filter out those days. Here it goes
sourcetype=x earliest=-3mon@mon date_hour=20 [|search index=x|bucket _time span=1d|stats min(_time) as _time by date_mday|eval Wday=strftime(_time,"%a")|where Wday="Fri"|table date_mday|dedup date_mday]|....
sourcetype=x earliest=-3mon@mon date_hour=20 date_wday="friday"|.....
i see this in splunk 6, so no need to extract any weekday part anymore.. 😄
Thanks
You don't need to think about lookup table now that you have the details like date_month,date_hour,date_wday. much easier...
Thank you. I will try this. it looks much simpler (we have splunk 6).
sourcetype=x earliest=-3mon@mon date_hour=20 date_wday="friday"|.....
if i want to use lookup table approach..i need to have 2 columns where one column has all the dates of Friday and other column would be dayoftheweek as Friday for all of them?