Splunk Search

Trying to get a range of dates right based on a last Saturday of the month

Communicator

hi there, the 1st and 3rd statement is wrong and the 2nd might be correct.
Here is what I am trying to do:

Current Month: (meaning beginning of the current MONTH up to the last SATURDAY of current's month):
          <earliest>@mon</earliest>
          <latest>now</latest>
          example: Feb 1st through 4th (previous SAT)

Month to Date: (meaning beginning of the current MONTH up to today's date):
          <earliest>@mon</earliest>
          <latest>now</latest>
          example: Feb 1st to 7 (today's date)

Year to Date: (meaning beginning of the current YEAR up to the last SATURDAY of current's month):
          <earliest>@y</earliest>
          <latest>now</latest>
          example: JAN 1st to last SATURDAY of February

Thank you

Tags (2)
0 Karma
1 Solution

Revered Legend

Here you go

Updated

Current Month: (meaning beginning of the current MONTH up to the last SATURDAY of current's month):
           <earliest>@mon</earliest>
           <latest>@w6+1d</latest>
           example: Feb 1st through 4th (previous SAT)

 Month to Date: (meaning beginning of the current MONTH up to today's date):  THIS WAS CORRECT already.
           <earliest>@mon</earliest>
           <latest>now</latest>
           example: Feb 1st to 7 (today's date)

 Year to Date: (meaning beginning of the current YEAR up to the last SATURDAY of current's month):
           <earliest>@y</earliest>
           <latest>+1mon@mon@w6+1d</latest>
           example: JAN 1st to last SATURDAY of February

View solution in original post

0 Karma

Revered Legend

Here you go

Updated

Current Month: (meaning beginning of the current MONTH up to the last SATURDAY of current's month):
           <earliest>@mon</earliest>
           <latest>@w6+1d</latest>
           example: Feb 1st through 4th (previous SAT)

 Month to Date: (meaning beginning of the current MONTH up to today's date):  THIS WAS CORRECT already.
           <earliest>@mon</earliest>
           <latest>now</latest>
           example: Feb 1st to 7 (today's date)

 Year to Date: (meaning beginning of the current YEAR up to the last SATURDAY of current's month):
           <earliest>@y</earliest>
           <latest>+1mon@mon@w6+1d</latest>
           example: JAN 1st to last SATURDAY of February

View solution in original post

0 Karma

Communicator

Wouldn't be better to use @w-1s (data up to 11:59:59 PM) instead of @w6 (Data up to 12:00:00 A.M) ?

0 Karma

Revered Legend

The latest timestamp is not included in the timerange, so you will miss events that have happened at 11:59:59 PM. A better option would be to just use @w6+1d so that full saturday's data is counted. Updated the answer accordingly.

0 Karma

Communicator

Thanks again!

0 Karma

Communicator

Thank you sir.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!