Splunk Search

Trying to get a range of dates right based on a last Saturday of the month

Communicator

hi there, the 1st and 3rd statement is wrong and the 2nd might be correct.
Here is what I am trying to do:

Current Month: (meaning beginning of the current MONTH up to the last SATURDAY of current's month):
          <earliest>@mon</earliest>
          <latest>now</latest>
          example: Feb 1st through 4th (previous SAT)

Month to Date: (meaning beginning of the current MONTH up to today's date):
          <earliest>@mon</earliest>
          <latest>now</latest>
          example: Feb 1st to 7 (today's date)

Year to Date: (meaning beginning of the current YEAR up to the last SATURDAY of current's month):
          <earliest>@y</earliest>
          <latest>now</latest>
          example: JAN 1st to last SATURDAY of February

Thank you

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Here you go

Updated

Current Month: (meaning beginning of the current MONTH up to the last SATURDAY of current's month):
           <earliest>@mon</earliest>
           <latest>@w6+1d</latest>
           example: Feb 1st through 4th (previous SAT)

 Month to Date: (meaning beginning of the current MONTH up to today's date):  THIS WAS CORRECT already.
           <earliest>@mon</earliest>
           <latest>now</latest>
           example: Feb 1st to 7 (today's date)

 Year to Date: (meaning beginning of the current YEAR up to the last SATURDAY of current's month):
           <earliest>@y</earliest>
           <latest>+1mon@mon@w6+1d</latest>
           example: JAN 1st to last SATURDAY of February

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Here you go

Updated

Current Month: (meaning beginning of the current MONTH up to the last SATURDAY of current's month):
           <earliest>@mon</earliest>
           <latest>@w6+1d</latest>
           example: Feb 1st through 4th (previous SAT)

 Month to Date: (meaning beginning of the current MONTH up to today's date):  THIS WAS CORRECT already.
           <earliest>@mon</earliest>
           <latest>now</latest>
           example: Feb 1st to 7 (today's date)

 Year to Date: (meaning beginning of the current YEAR up to the last SATURDAY of current's month):
           <earliest>@y</earliest>
           <latest>+1mon@mon@w6+1d</latest>
           example: JAN 1st to last SATURDAY of February

View solution in original post

0 Karma

Communicator

Wouldn't be better to use @w-1s (data up to 11:59:59 PM) instead of @w6 (Data up to 12:00:00 A.M) ?

0 Karma

SplunkTrust
SplunkTrust

The latest timestamp is not included in the timerange, so you will miss events that have happened at 11:59:59 PM. A better option would be to just use @w6+1d so that full saturday's data is counted. Updated the answer accordingly.

0 Karma

Communicator

Thanks again!

0 Karma

Communicator

Thank you sir.

0 Karma