Splunk Search

Is date_wday reliable to search on?

manus
Communicator

When I run two queries which differ from a wday filtering:

Query1= "Query1"
Query2= "Query1" date_wday!=Saturday

I get no result for query2 and plenty of results for query1. All the results I have in Query1 are not from Saturday only, otherwise I wouldn't report the problem.

I can't reproduce this problem 100%. Most of the time, filtering on date_wday works as expected. I believe it's the third time, that scheduled reports I have, suddenly stop returning anything, and the three times, it has been due to problems with the date_wday filtering.

This is not really a question, but more a bug report I think... but I'm not too sure where to do that.

Tags (1)
1 Solution

lguinn2
Legend

It's probably not a bug. Not all inputs have a date_wday field - and when they do, the day of the week is not time-zone adjusted.

You might also want to take a look at this question/answer: Variance between time and date* fields

If you still feel that you have a bug, you can report it at http://www.splunk.com/support by clicking "Submit a case"

View solution in original post

lguinn2
Legend

It's probably not a bug. Not all inputs have a date_wday field - and when they do, the day of the week is not time-zone adjusted.

You might also want to take a look at this question/answer: Variance between time and date* fields

If you still feel that you have a bug, you can report it at http://www.splunk.com/support by clicking "Submit a case"

manus
Communicator

Thanks a lot for your reply!
So the reply to my questions is: "No, filtering on date_wday isn't reliable, because of timezone issues, and because sometimes it's not populated at all".

Instead, as a best practice, use eval weekday=strftime(_time,"%a") or eval weekday=strftime(_time,"%A").

0 Karma

enno
Explorer

What @manus means is that date_wday seems to always be interpreted in UTC whereas _time will be reported to you in your local time zone. Not sure if this is a bug or the way it's defined to be.

0 Karma

lguinn2
Legend

date_wday is based on the raw data - if that is UTC for this source, then date_wday will be UTC. From another source, the date_wdaycould be different.
_time is the normalized time that is stored in the index; it is always stored in UTC.
Splunk displays _time in the user interface based on the time zone you selected in your user settings.
This is by design; it is not bug.

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...