Archive
Highlighted

How to query a particular hour for last 3 months

Contributor

Hi,

is it possible to specify a timeframe so that i get data for every Friday 8 PM to 9 PM for the last 3 months?

Tags (1)
0 Karma
Highlighted

Re: How to query a particular hour for last 3 months

Champion

Hello,
it would be best if you can use the dates having friday and use with a lookup files.

OR

if you have a index which has last 3 months data you could get them in subsearch and filter out those days. Here it goes

sourcetype=x earliest=-3mon@mon date_hour=20 [|search index=x|bucket _time span=1d|stats min(_time) as _time by date_mday|eval Wday=strftime(_time,"%a")|where Wday="Fri"|table date_mday|dedup date_mday]|....

sourcetype=x earliest=-3mon@mon date_hour=20 date_wday="friday"|.....

i see this in splunk 6, so no need to extract any weekday part anymore.. 😄

Thanks

View solution in original post

0 Karma
Highlighted

Re: How to query a particular hour for last 3 months

Contributor

Thank you. I will try this. it looks much simpler (we have splunk 6).
sourcetype=x earliest=-3mon@mon datehour=20 datewday="friday"|.....
if i want to use lookup table approach..i need to have 2 columns where one column has all the dates of Friday and other column would be dayoftheweek as Friday for all of them?

0 Karma
Highlighted

Re: How to query a particular hour for last 3 months

Champion

You don't need to think about lookup table now that you have the details like datemonth,datehour,date_wday. much easier...

0 Karma