Splunk Search

No date_wday from U.F. collecting windows event logs

hartfoml
Motivator

I was collecting windows event logs using agent less Splunk server through remote WMI calls and the "sourcetype=WMI:WinEventLog:*" _raw data had a date format like this "20111020135801.037162"
Splunk indexed the data with the customary date formats to include date_wday

I have recently switched to U.F. collection and the locally collected and forwarded "sourcetype=WinEventLog:*" _raw data has a date format like this "10/20/11 2:08:42.000 PM" which does not include the date_wday.

I am assuming that this date format is preprocessed at the U.F. before sending.

Some of my reports are dependent on the day of the week because maintenance night is Wednesday.

How do I get date_wday and the others back into my U.F. “sourcetype=WinEventLog:*" data?

By the way, I am also collecting WMI data locally on the U.F. and the date format is not preprocessed at the U.F. so the date formats are derived correctly during indexing.

0 Karma
1 Solution

Ayn
Legend

This (unfortunately) seems to be more or less expected behaviour, as per the response received from support in this question: http://splunk-base.splunk.com/answers/30822/date_hour-not-present-in-wineventlogs

As you can see on the same page, there are workarounds you can use for getting date_wday in other ways instead.

View solution in original post

Ayn
Legend

This (unfortunately) seems to be more or less expected behaviour, as per the response received from support in this question: http://splunk-base.splunk.com/answers/30822/date_hour-not-present-in-wineventlogs

As you can see on the same page, there are workarounds you can use for getting date_wday in other ways instead.

hartfoml
Motivator

This is Great Stuff

Thanks

0 Karma

Ayn
Legend

For getting date_wday using strftime, use the %A directive. Like this:

... | eval date_wday = strftime(_time, "%A")

For more strftime directives, see for instance http://strftime.org/

hartfoml
Motivator

Ayn,

I saw your other post for date_hour. Could I trouble you to help with the code for date_wday. Pretty Please, Splunk Master!!!

Mike H.

0 Karma

hartfoml
Motivator

Thanks this was very helpful

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...