Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Looking to create 2 timeframes but "week of month" is returning week of year

jjponderosa
Engager
‎05-29-2024 12:41 PM

Hello. I am interested in data that occurs from Tuesday night on 8 PM until 6 AM. The caveat is that I need 2 separate time periods to compare. One of which is the 2nd Tuesday of each month until the 3rd Thursday. The other is any other day in the month. 


So far I have: 

| eval day_of_week=strftime(_time, "%A")
| eval week_of_month=strftime(_time, "%U" )
| eval day_of_month=strftime(_time, "%d")
| eval start_target_period=if(day_of_week=="Tuesday" AND week_of_month>1 AND week_of_month<4, "true", "false")
| eval end_target_period=if(day_of_week=="Thursday" AND week_of_month>2 AND week_of_monthr<4, "true", "false")
| eval hour=strftime(_time, "%H")
| eval time_bucket=case(
(start_target_period="true" AND hour>="20") OR (end_target_period="true" AND hour<="06"), "Target Period",
(hour>="20" OR hour<="06"), "Other Period"
)



My issue is that my "week of month" field is reflecting the week of the year. Any help would be greatly appreciated. 

EDIT: I placed this in the wrong location, all apologies. 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-29-2024 03:26 PM

%U is week of year

https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Commontimeformatvariables#Specify...

You can easily do the math to work out which week of month it is based on your start day of the week. See this example which calculates the week number with either a start of week being Sunday or Monday.

| makeresults count=31
| streamstats c
| eval _time=strptime(printf("2024-03-%02d", c), "%F")
| fields - c
| eval day_of_week=strftime(_time, "%A")
| eval day_of_month=strftime(_time, "%d")
| eval wday_sunday_start=strftime(_time, "%w"), wday_monday_start=if(wday_sunday_start=0,7,wday_sunday_start)
| eval week_of_month_sunday_start=ceil(max((day_of_month-wday_sunday_start), 0) / 7) + 1
| eval week_of_month_monday_start=ceil(max((day_of_month-wday_monday_start), 0) / 7) + 1

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-29-2024 03:26 PM

%U is week of year

https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Commontimeformatvariables#Specify...

You can easily do the math to work out which week of month it is based on your start day of the week. See this example which calculates the week number with either a start of week being Sunday or Monday.

| makeresults count=31
| streamstats c
| eval _time=strptime(printf("2024-03-%02d", c), "%F")
| fields - c
| eval day_of_week=strftime(_time, "%A")
| eval day_of_month=strftime(_time, "%d")
| eval wday_sunday_start=strftime(_time, "%w"), wday_monday_start=if(wday_sunday_start=0,7,wday_sunday_start)
| eval week_of_month_sunday_start=ceil(max((day_of_month-wday_sunday_start), 0) / 7) + 1
| eval week_of_month_monday_start=ceil(max((day_of_month-wday_monday_start), 0) / 7) + 1

 

Reply
Solved! Jump to solution

jjponderosa
Engager
‎05-29-2024 04:58 PM

Dang it I don’t know how I missed that. Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
li.common.scroll-to.top