Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search the log event only happen on Saturday and Sunday and during the weekday after 18:00

samlinsongguo
Communicator
‎05-11-2017 11:30 PM

I am looking for syntax to writing a queue about search the log event only happen on Saturday and Sunday and during the weekday after 18:00. what is the key work should I use, Could anyone give me a hint please?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

samlinsongguo
Communicator
‎05-14-2017 10:07 PM

Hi Dineshrja9
Thank you for your answer. I tried your commend but it doesn't return me any result and I find out it is because the index I am trying search doesn't have date_wday field as below images show
alt text

the index1 file I am trying to search, I can not expend _time field search this index with command date_wday does not return me result.

alt text

the other index2 which contain date_wday field. search this index with command date_wday it can return me result.

Any suggestion about how can I get that date_wday field added into the index1 file?

View solution in original post

Preview file
32 KB
Preview file
28 KB
0 Karma
Reply
Solved! Jump to solution
Solution

samlinsongguo
Communicator
‎05-14-2017 10:07 PM

Hi Dineshrja9
Thank you for your answer. I tried your commend but it doesn't return me any result and I find out it is because the index I am trying search doesn't have date_wday field as below images show
alt text

the index1 file I am trying to search, I can not expend _time field search this index with command date_wday does not return me result.

alt text

the other index2 which contain date_wday field. search this index with command date_wday it can return me result.

Any suggestion about how can I get that date_wday field added into the index1 file?

Preview file
32 KB
Preview file
28 KB
0 Karma
Reply
Solved! Jump to solution

dineshraj9
Builder
‎05-14-2017 10:51 PM

My bad, some of the events don't contain these fields by default(like the windows event logs). You can create these fields and then use it -

<your search> | eval date_hour=strftime(_time,"%H") | eval date_wday=strftime(_time,"%A")  | search (date_hour>18 AND date_hour<=23) OR (date_wday="Saturday" OR date_wday="Sunday")
0 Karma
Reply
Solved! Jump to solution

samlinsongguo
Communicator
‎05-15-2017 04:10 PM

Thank you so much for your help

0 Karma
Reply
Solved! Jump to solution

dineshraj9
Builder
‎05-11-2017 11:46 PM

You can add this to your base search

(date_hour>18 AND date_hour<=23) OR (date_wday="saturday" OR date_wday="sunday")
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...