Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to extract the name of the day and month from an event date field in the format dd/mm/yyyy?

Notinocrunch
New Member
‎11-17-2014 05:29 PM

Assuming all my eventdate fields are in the following format: dd/mm/yyyy i.e 12/06/2014

Is it possible to work with the eventdate field in ways such as the following:

  • Return all events that occured on a Monday
  • Return all events that occured in June
Tags (2)
0 Karma
Reply

lguinn2
Legend
‎11-17-2014 05:52 PM

Yes, like this

yoursearchhere
| eval dayofweek = strftime(_time,"%A")
| eval month = strftime(_time,"%m")
| where month=6 AND dayofweek="Monday"

This method does not use the text fields in your input - it actually uses the normalized timestamp that Splunk creates when it parses the incoming data. This is more reliable if you have data coming from multiple timezones, etc.

Reply

Notinocrunch
New Member
‎11-17-2014 07:37 PM

@Iguinn the timestamp when you import your data is different to the eventdate that the actual event occured on though right? For example, if I import a csv file today that contains records for the past year, I want my search to search on the eventdate withni the CSV and not the day I upload my data.

0 Karma
Reply

lguinn2
Legend
‎11-18-2014 08:01 AM

The timestamp (_time) should be the time of the data within the CSV. You should set that up as part of bringing your data into Splunk. Splunk also keeps the time that the data was indexed (_indextime), but that field is rarely used.

If your timestamp does not correspond to the dates within the CSV, you are doing it wrong. If your CSV has headers, you might find this page in the documentation useful: Extract data from files with headers

Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...