- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have extracted a field from log files that is called file_Date and it is in the format "8/1/2017". How do get the day of the week from a date in this format. I CAN NOT use "_time" for when Splunk gets the date forwarded because it can be a different date based on the location of the server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this,
| eval tdate_w = strftime(strptime(file_Date, "%m/%d/%Y"), "%A") | table file_Date tdate_w
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the _Date is the same as _time, then just use the field date_wday.
If you need it in a number, then you can do a lookup or case.
If _Date is not the same as _time, then sbbadri's answer is probably what you want to consider.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this,
| eval tdate_w = strftime(strptime(file_Date, "%m/%d/%Y"), "%A") | table file_Date tdate_w
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NOTE - If you prefer numbers, 0 for Sunday, 1 for Monday and so on, use "%w"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works perfectly! Thank you
