When I run two queries which differ from a wday filtering:
Query2= "Query1" date_wday!=Saturday
I get no result for query2 and plenty of results for query1. All the results I have in Query1 are not from Saturday only, otherwise I wouldn't report the problem.
I can't reproduce this problem 100%. Most of the time, filtering on datewday works as expected. I believe it's the third time, that scheduled reports I have, suddenly stop returning anything, and the three times, it has been due to problems with the datewday filtering.
This is not really a question, but more a bug report I think... but I'm not too sure where to do that.
It's probably not a bug. Not all inputs have a
date_wday field - and when they do, the day of the week is not time-zone adjusted.
You might also want to take a look at this question/answer: Variance between time and date* fields
If you still feel that you have a bug, you can report it at http://www.splunk.com/support by clicking "Submit a case"
Thanks a lot for your reply!
So the reply to my questions is: "No, filtering on datewday isn't reliable, because of timezone issues, and because sometimes it's not populated at all".
Instead, as a best practice, use eval weekday=strftime(time,"%a") or eval weekday=strftime(_time,"%A").
What @manus means is that date_wday seems to always be interpreted in UTC whereas _time will be reported to you in your local time zone. Not sure if this is a bug or the way it's defined to be.
date_wday is based on the raw data - if that is UTC for this source, then
date_wday will be UTC. From another source, the
date_wdaycould be different.
_time is the normalized time that is stored in the index; it is always stored in UTC.
_time in the user interface based on the time zone you selected in your user settings.
This is by design; it is not bug.