Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search the log event only happen on Saturday and Sunday and during the weekday after 18:00

samlinsongguo
Communicator
‎05-11-2017 11:30 PM

I am looking for syntax to writing a queue about search the log event only happen on Saturday and Sunday and during the weekday after 18:00. what is the key work should I use, Could anyone give me a hint please?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

samlinsongguo
Communicator
‎05-14-2017 10:07 PM

Hi Dineshrja9
Thank you for your answer. I tried your commend but it doesn't return me any result and I find out it is because the index I am trying search doesn't have date_wday field as below images show
alt text

the index1 file I am trying to search, I can not expend _time field search this index with command date_wday does not return me result.

alt text

the other index2 which contain date_wday field. search this index with command date_wday it can return me result.

Any suggestion about how can I get that date_wday field added into the index1 file?

View solution in original post

with-sat-infor.png
Preview file
32 KB
no-sat-information.png
Preview file
28 KB
0 Karma
Reply
Solved! Jump to solution
Solution

samlinsongguo
Communicator
‎05-14-2017 10:07 PM

Hi Dineshrja9
Thank you for your answer. I tried your commend but it doesn't return me any result and I find out it is because the index I am trying search doesn't have date_wday field as below images show
alt text

the index1 file I am trying to search, I can not expend _time field search this index with command date_wday does not return me result.

alt text

the other index2 which contain date_wday field. search this index with command date_wday it can return me result.

Any suggestion about how can I get that date_wday field added into the index1 file?

with-sat-infor.png
Preview file
32 KB
no-sat-information.png
Preview file
28 KB
0 Karma
Reply
Solved! Jump to solution

dineshraj9
Builder
‎05-14-2017 10:51 PM

My bad, some of the events don't contain these fields by default(like the windows event logs). You can create these fields and then use it -

<your search> | eval date_hour=strftime(_time,"%H") | eval date_wday=strftime(_time,"%A")  | search (date_hour>18 AND date_hour<=23) OR (date_wday="Saturday" OR date_wday="Sunday")
0 Karma
Reply
Solved! Jump to solution

samlinsongguo
Communicator
‎05-15-2017 04:10 PM

Thank you so much for your help

0 Karma
Reply
Solved! Jump to solution

dineshraj9
Builder
‎05-11-2017 11:46 PM

You can add this to your base search

(date_hour>18 AND date_hour<=23) OR (date_wday="saturday" OR date_wday="sunday")
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top