Splunk Search

Relative time using date_mday and date_wday in search syntax

nbharadwaj
Path Finder

I am trying to trend some metrics for the first Wednesday of each month, over a time range of 6 months. I have something like this, but it keeps spinning saying its scanning events, but no events shows up (when I expect to see a lot for the Wednesdays)

index=ABC earliest=05/01/2010:00:00:00 latest=01/13/2011:00:00:00 date_wday=Wednesday date_mday>=1 date_mday<=7 | ....

I am using 4.1.4.3, build 89226 It keeps scanning events, but never seems to get any back. I think something is wrong in the query syntax, but Splunk is not failing on it, its just working hard to find nothing.

Tags (2)
1 Solution

sideview
SplunkTrust
SplunkTrust

The problem that while date_wday and date_mday are indexed fields, Splunk treats them as search-time fields here because you are using the > and < operators.

Change to this and I think you'll be fine:

index=ABC date_wday=Wednesday ( date_mday=1 OR date_mday=2 OR date_mday=3 OR date_mday=4 OR date_mday=5 OR date_mday=6 OR date_mday=7 ) | ...

In a way Splunk is just being careful here. This search here with all the OR's is a pretty explicit search matching only 7 values. But what if date_mday happened to have a value of "6.5"? Splunk is just falling back to more conservative search-time filtering so it doesnt miss any potential values...

View solution in original post

sideview
SplunkTrust
SplunkTrust

The problem that while date_wday and date_mday are indexed fields, Splunk treats them as search-time fields here because you are using the > and < operators.

Change to this and I think you'll be fine:

index=ABC date_wday=Wednesday ( date_mday=1 OR date_mday=2 OR date_mday=3 OR date_mday=4 OR date_mday=5 OR date_mday=6 OR date_mday=7 ) | ...

In a way Splunk is just being careful here. This search here with all the OR's is a pretty explicit search matching only 7 values. But what if date_mday happened to have a value of "6.5"? Splunk is just falling back to more conservative search-time filtering so it doesnt miss any potential values...

nbharadwaj
Path Finder

speeded up my search considerably!

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...