Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search the log event only happen on Saturday and Sunday and during the weekday after 18:00

samlinsongguo
Communicator
‎05-11-2017 11:30 PM

I am looking for syntax to writing a queue about search the log event only happen on Saturday and Sunday and during the weekday after 18:00. what is the key work should I use, Could anyone give me a hint please?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

samlinsongguo
Communicator
‎05-14-2017 10:07 PM

Hi Dineshrja9
Thank you for your answer. I tried your commend but it doesn't return me any result and I find out it is because the index I am trying search doesn't have date_wday field as below images show
alt text

the index1 file I am trying to search, I can not expend _time field search this index with command date_wday does not return me result.

alt text

the other index2 which contain date_wday field. search this index with command date_wday it can return me result.

Any suggestion about how can I get that date_wday field added into the index1 file?

View solution in original post

Preview file
32 KB
Preview file
28 KB
0 Karma
Reply
Solved! Jump to solution
Solution

samlinsongguo
Communicator
‎05-14-2017 10:07 PM

Hi Dineshrja9
Thank you for your answer. I tried your commend but it doesn't return me any result and I find out it is because the index I am trying search doesn't have date_wday field as below images show
alt text

the index1 file I am trying to search, I can not expend _time field search this index with command date_wday does not return me result.

alt text

the other index2 which contain date_wday field. search this index with command date_wday it can return me result.

Any suggestion about how can I get that date_wday field added into the index1 file?

Preview file
32 KB
Preview file
28 KB
0 Karma
Reply
Solved! Jump to solution

dineshraj9
Builder
‎05-14-2017 10:51 PM

My bad, some of the events don't contain these fields by default(like the windows event logs). You can create these fields and then use it -

<your search> | eval date_hour=strftime(_time,"%H") | eval date_wday=strftime(_time,"%A")  | search (date_hour>18 AND date_hour<=23) OR (date_wday="Saturday" OR date_wday="Sunday")
0 Karma
Reply
Solved! Jump to solution

samlinsongguo
Communicator
‎05-15-2017 04:10 PM

Thank you so much for your help

0 Karma
Reply
Solved! Jump to solution

dineshraj9
Builder
‎05-11-2017 11:46 PM

You can add this to your base search

(date_hour>18 AND date_hour<=23) OR (date_wday="saturday" OR date_wday="sunday")
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...