Splunk Search

How to find the first saturday of every month?

vpurushottam
Explorer

Hello,

I am currently stuck with finding the first Saturday of every month. Below is a screenshot of what i currently have:
alt text

So the query that i am working on extracts the number for each each day of the month and creates an mv field and then i work with these values to create a weekly record. And each day of each week for each month.

The issue: As you can see the month starts on Friday which corresponds to week 1 and in the next row you can see that 4th is Monday which lies in 2nd week of the the month. So as of now what my query does is extracts and add the value of Monday to week 1, which is wrong.

What I am looking for: I came up with a solution where i will check the first value of the mv field and extract the date from it. See if this date is less than or equal to 7 and then compare this value with the first Saturday of the month. if this date value is greater than date value of first Saturday i will add another value to mv field ("00 NR Month 0000")

Can anyone help me with a query to find the first Saturday of the month. And also will mvappend work here because while the search goes i observed that mv field gets sorted automatically. So i was assuming when i append the new field (if possible) then it will get automatically sorted.

Thank you in advance. 🙂

0 Karma
1 Solution

somesoni2
Revered Legend

You can use something like this to find the first saturday of a month

| gentimes start=-1 | eval month=mvrange(1,13) | table month | mvexpand month | eval month="05 ".replace("0".month,".*(\d\d)$","\1")." 2019" 
| eval firstSaturday=strftime(relative_time(strptime("01 ".month,"%d %m %Y"),"@mon@w+6d"),"%A %F %T")

Here everything before | eval firstSaturday.. is the generate sample data with date in format dd mm YYYY. Update the time format in strftime/strptime function per yours.

View solution in original post

somesoni2
Revered Legend

You can use something like this to find the first saturday of a month

| gentimes start=-1 | eval month=mvrange(1,13) | table month | mvexpand month | eval month="05 ".replace("0".month,".*(\d\d)$","\1")." 2019" 
| eval firstSaturday=strftime(relative_time(strptime("01 ".month,"%d %m %Y"),"@mon@w+6d"),"%A %F %T")

Here everything before | eval firstSaturday.. is the generate sample data with date in format dd mm YYYY. Update the time format in strftime/strptime function per yours.

vpurushottam
Explorer

Thank you @somesoni2 for your reply but i have a query. I was able to find a way to extract first Saturday using the modifier "+w@w6". Since i am new to splunk so i don't know how different is "@mon@w+6d" from the one that i did ? Will my modifier create an issue sometime later or is it just fine ??/

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...