Splunk Search

Is date_wday reliable to search on?

manus
Communicator

When I run two queries which differ from a wday filtering:

Query1= "Query1"
Query2= "Query1" date_wday!=Saturday

I get no result for query2 and plenty of results for query1. All the results I have in Query1 are not from Saturday only, otherwise I wouldn't report the problem.

I can't reproduce this problem 100%. Most of the time, filtering on date_wday works as expected. I believe it's the third time, that scheduled reports I have, suddenly stop returning anything, and the three times, it has been due to problems with the date_wday filtering.

This is not really a question, but more a bug report I think... but I'm not too sure where to do that.

Tags (1)
1 Solution

lguinn2
Legend

It's probably not a bug. Not all inputs have a date_wday field - and when they do, the day of the week is not time-zone adjusted.

You might also want to take a look at this question/answer: Variance between time and date* fields

If you still feel that you have a bug, you can report it at http://www.splunk.com/support by clicking "Submit a case"

View solution in original post

lguinn2
Legend

It's probably not a bug. Not all inputs have a date_wday field - and when they do, the day of the week is not time-zone adjusted.

You might also want to take a look at this question/answer: Variance between time and date* fields

If you still feel that you have a bug, you can report it at http://www.splunk.com/support by clicking "Submit a case"

manus
Communicator

Thanks a lot for your reply!
So the reply to my questions is: "No, filtering on date_wday isn't reliable, because of timezone issues, and because sometimes it's not populated at all".

Instead, as a best practice, use eval weekday=strftime(_time,"%a") or eval weekday=strftime(_time,"%A").

0 Karma

enno
Explorer

What @manus means is that date_wday seems to always be interpreted in UTC whereas _time will be reported to you in your local time zone. Not sure if this is a bug or the way it's defined to be.

0 Karma

lguinn2
Legend

date_wday is based on the raw data - if that is UTC for this source, then date_wday will be UTC. From another source, the date_wdaycould be different.
_time is the normalized time that is stored in the index; it is always stored in UTC.
Splunk displays _time in the user interface based on the time zone you selected in your user settings.
This is by design; it is not bug.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...