Say suppose we have data for the below date and time range, i want to pick only sunday's date and display the last 3 weeks sundays data only. so basically, it should pick only the sunday's date from input data and display it in the output data.
input data output data(sunday date)
2022-04-24 09:00:03 | 2022-04-24 09:00:03 | |
2022-04-22 12:50:08 | 2022-04-17 12:34:26 | |
2022-04-17 12:34:26 | 2022-03-27 15:49:59 | |
2022-03-28 09:41:12 | 2022-03-20 11:07:21 | |
2022-03-27 15:49:59 | 2022-03-20 11:07:21 | |
2022-03-25 15:31:18 | ||
2022-03-25 15:00:32 | ||
2022-03-25 14:45:03 | ||
2022-03-20 13:28:54 | ||
2022-03-20 11:07:21 | ||
2022-03-10 16:11:32 | ||
2022-03-10 14:31:15 |
Some date fields are automatically extracted - try this
| where date_wday="sunday"
I don't trust those fields. 😉
But seriously, they are extracted in index-time and are based on the initial timestamp. As far as I remember, you can have a discrepancy between the presented timestamp and the extracted timestamp-related fields if your user is at another timezone than the source/indexer. That part of time processing can be really confusing.
Just render your timestamp into a format using a weekday only and compare it with your desired day of the week.
<your search>
| eval weekday=strftime(_time,"%w")
| where weekday=0
Since strftime gives you string you might filter on "0" as string instead of just plain nummerical zero in the last condition (haven't checked).
Thnaks @PickleRick it worked!!