Re: Snap to previous Friday

jclemons7 · ‎04-06-2016

Hello,

I have the following time modifier, which I was hoping would give me the previous Friday as a static date, but it doesn't for obvious reasons.

earliest=-7d@w5 latest=-7d@w6 | eval TimeStamp=strftime(strptime(timestamp, "%Y-%m-%dT%H:%M:%S"),"%m/%d/%Y %H") | dedup TimeStamp | table TimeStamp

What I'm trying to do is craft a query that will always pull the previous Friday (or whatever full weekday I chose).

Any help is greatly appreciated.

somesoni2 · ‎04-06-2016

If you're just looking to get the date, from today, for a specific weekday, you can try this run anywhere sample query. Just update the weekday filter in the where clause.

| gentimes start=-7 | table starttime | where strftime(starttime,"%a")="Fri" | eval timestamp=strftime(starttime,"%m/%d/%Y %H")

woodcock · ‎04-06-2016

Try w5-7d@d and w6-7d@d

jclemons7 · ‎04-06-2016

Thanks so much for your response,

I think this is similar to the problem I had before.. so, in my query I wanted previous Sunday let's say.. so using your syntax I wrote this:

earliest=@w0-7d latest=@w1-7d | eval TimeStamp=strftime(strptime(timestamp, "%Y-%m-%dT%H:%M:%S"),"%m/%d/%Y %H") | dedup TimeStamp | table TimeStamp

But that returns 3/27 for my date and what I'm really looking for would be 4/3 if run today (4/6) if that makes any sense..

woodcock · ‎04-06-2016

OK, so do @w0@d and @w1@d.

jclemons7 · ‎04-06-2016

Additionally.. if I run it today for Wednesday, I wouldn't want it to consider today and only return partial results.. I was looking for it to return last Wednesday..

I know in SQL this is tricky, but was hoping Splunk had something that would get me like 90% there.

Snap to previous Friday

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!