Splunk Search

Relative time using date_mday and date_wday in search syntax

nbharadwaj
Path Finder

I am trying to trend some metrics for the first Wednesday of each month, over a time range of 6 months. I have something like this, but it keeps spinning saying its scanning events, but no events shows up (when I expect to see a lot for the Wednesdays)

index=ABC earliest=05/01/2010:00:00:00 latest=01/13/2011:00:00:00 date_wday=Wednesday date_mday>=1 date_mday<=7 | ....

I am using 4.1.4.3, build 89226 It keeps scanning events, but never seems to get any back. I think something is wrong in the query syntax, but Splunk is not failing on it, its just working hard to find nothing.

Tags (2)
1 Solution

sideview
SplunkTrust
SplunkTrust

The problem that while date_wday and date_mday are indexed fields, Splunk treats them as search-time fields here because you are using the > and < operators.

Change to this and I think you'll be fine:

index=ABC date_wday=Wednesday ( date_mday=1 OR date_mday=2 OR date_mday=3 OR date_mday=4 OR date_mday=5 OR date_mday=6 OR date_mday=7 ) | ...

In a way Splunk is just being careful here. This search here with all the OR's is a pretty explicit search matching only 7 values. But what if date_mday happened to have a value of "6.5"? Splunk is just falling back to more conservative search-time filtering so it doesnt miss any potential values...

View solution in original post

sideview
SplunkTrust
SplunkTrust

The problem that while date_wday and date_mday are indexed fields, Splunk treats them as search-time fields here because you are using the > and < operators.

Change to this and I think you'll be fine:

index=ABC date_wday=Wednesday ( date_mday=1 OR date_mday=2 OR date_mday=3 OR date_mday=4 OR date_mday=5 OR date_mday=6 OR date_mday=7 ) | ...

In a way Splunk is just being careful here. This search here with all the OR's is a pretty explicit search matching only 7 values. But what if date_mday happened to have a value of "6.5"? Splunk is just falling back to more conservative search-time filtering so it doesnt miss any potential values...

nbharadwaj
Path Finder

speeded up my search considerably!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...