Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to display data for every sunday of last 3 weeks in the given date and time range?

srujana96
Explorer
‎05-11-2022 04:54 AM

Say suppose we have data for the below date and time range, i want to pick only sunday's date and display the last 3 weeks sundays data only. so basically, it should pick only the sunday's date from input data and display it in the output data.

input data            output data(sunday date)

2022-04-24 09:00:03   2022-04-24 09:00:03
2022-04-22 12:50:08   2022-04-17 12:34:26
2022-04-17 12:34:26   2022-03-27 15:49:59
2022-03-28 09:41:12   2022-03-20 11:07:21
2022-03-27 15:49:59   2022-03-20 11:07:21
2022-03-25 15:31:18    
2022-03-25 15:00:32    
2022-03-25 14:45:03    
2022-03-20 13:28:54    
2022-03-20 11:07:21    
2022-03-10 16:11:32    
2022-03-10 14:31:15    
Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-11-2022 05:12 AM

Some date fields are automatically extracted - try this

| where date_wday="sunday"
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-11-2022 05:18 AM

I don't trust those fields. 😉

But seriously, they are extracted in index-time and are based on the initial timestamp. As far as I remember, you can have a discrepancy between the presented timestamp and the extracted timestamp-related fields if your user is at another timezone than the source/indexer. That part of time processing can be really confusing.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-11-2022 05:09 AM

Just render your timestamp into a format using a weekday only and compare it with your desired day of the week.

<your search>
| eval weekday=strftime(_time,"%w")
| where weekday=0

Since strftime gives you string you might filter on "0" as string instead of just plain nummerical zero in the last condition (haven't checked).

Reply

srujana96
Explorer
‎05-17-2022 01:34 AM

Thnaks @PickleRick  it worked!!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...