When I run two queries which differ from a wday filtering:
Query1= "Query1"
Query2= "Query1" date_wday!=Saturday
I get no result for query2 and plenty of results for query1. All the results I have in Query1 are not from Saturday only, otherwise I wouldn't report the problem.
I can't reproduce this problem 100%. Most of the time, filtering on date_wday works as expected. I believe it's the third time, that scheduled reports I have, suddenly stop returning anything, and the three times, it has been due to problems with the date_wday filtering.
This is not really a question, but more a bug report I think... but I'm not too sure where to do that.
It's probably not a bug. Not all inputs have a date_wday
field - and when they do, the day of the week is not time-zone adjusted.
You might also want to take a look at this question/answer: Variance between time and date* fields
If you still feel that you have a bug, you can report it at http://www.splunk.com/support by clicking "Submit a case"
It's probably not a bug. Not all inputs have a date_wday
field - and when they do, the day of the week is not time-zone adjusted.
You might also want to take a look at this question/answer: Variance between time and date* fields
If you still feel that you have a bug, you can report it at http://www.splunk.com/support by clicking "Submit a case"
Thanks a lot for your reply!
So the reply to my questions is: "No, filtering on date_wday isn't reliable, because of timezone issues, and because sometimes it's not populated at all".
Instead, as a best practice, use eval weekday=strftime(_time,"%a") or eval weekday=strftime(_time,"%A").
What @manus means is that date_wday seems to always be interpreted in UTC whereas _time will be reported to you in your local time zone. Not sure if this is a bug or the way it's defined to be.
date_wday
is based on the raw data - if that is UTC for this source, then date_wday
will be UTC. From another source, the date_wday
could be different.
_time
is the normalized time that is stored in the index; it is always stored in UTC.
Splunk displays _time
in the user interface based on the time zone you selected in your user settings.
This is by design; it is not bug.