Archive
Highlighted

Is date_wday reliable to search on?

Communicator

When I run two queries which differ from a wday filtering:

Query1= "Query1"
Query2= "Query1" date_wday!=Saturday

I get no result for query2 and plenty of results for query1. All the results I have in Query1 are not from Saturday only, otherwise I wouldn't report the problem.

I can't reproduce this problem 100%. Most of the time, filtering on datewday works as expected. I believe it's the third time, that scheduled reports I have, suddenly stop returning anything, and the three times, it has been due to problems with the datewday filtering.

This is not really a question, but more a bug report I think... but I'm not too sure where to do that.

Tags (1)
Highlighted

Re: Is date_wday reliable to search on?

Legend

It's probably not a bug. Not all inputs have a date_wday field - and when they do, the day of the week is not time-zone adjusted.

You might also want to take a look at this question/answer: Variance between time and date* fields

If you still feel that you have a bug, you can report it at http://www.splunk.com/support by clicking "Submit a case"

View solution in original post

Highlighted

Re: Is date_wday reliable to search on?

Communicator

Thanks a lot for your reply!
So the reply to my questions is: "No, filtering on datewday isn't reliable, because of timezone issues, and because sometimes it's not populated at all".

Instead, as a best practice, use eval weekday=strftime(
time,"%a") or eval weekday=strftime(_time,"%A").

0 Karma
Highlighted

Re: Is date_wday reliable to search on?

Explorer

What @manus means is that date_wday seems to always be interpreted in UTC whereas _time will be reported to you in your local time zone. Not sure if this is a bug or the way it's defined to be.

0 Karma
Highlighted

Re: Is date_wday reliable to search on?

Legend

date_wday is based on the raw data - if that is UTC for this source, then date_wday will be UTC. From another source, the date_wdaycould be different.
_time is the normalized time that is stored in the index; it is always stored in UTC.
Splunk displays _time in the user interface based on the time zone you selected in your user settings.
This is by design; it is not bug.

0 Karma