Splunk Search

What is the command/syntax to specify a day of the week for searching?

Path Finder

What is the proper command/syntax to specify a day of the week for searching (converting date/timestamp)?

example: index="" sourcetype="abc" |other criteria | *only Thursdays*

Tags (3)
1 Solution

Motivator

You can eval _time into a text day of the week and then search for that. For example, if you wanted to search for a condition over the previous month but are only interested in what happened each Thursday of that month:

index="" sourcetype="abc" | other criteria | eval DayOfWeek=strftime(_time, "%A") | search DayOfWeek="Thursday"

You can find more information on strftime and date formatting here, here and here.

Alternatively, you can set up a calculated field extraction in props.conf that performs this time transformation for you at search time and just search for DayOfWeek=Thursday in the initial part of the search or at anytime afterwards. Your props.conf extraction would look like this:

EVAL-DayOfWeek = strftime(_time, "%A")

More information on calculated fields here.

View solution in original post

Motivator

You can eval _time into a text day of the week and then search for that. For example, if you wanted to search for a condition over the previous month but are only interested in what happened each Thursday of that month:

index="" sourcetype="abc" | other criteria | eval DayOfWeek=strftime(_time, "%A") | search DayOfWeek="Thursday"

You can find more information on strftime and date formatting here, here and here.

Alternatively, you can set up a calculated field extraction in props.conf that performs this time transformation for you at search time and just search for DayOfWeek=Thursday in the initial part of the search or at anytime afterwards. Your props.conf extraction would look like this:

EVAL-DayOfWeek = strftime(_time, "%A")

More information on calculated fields here.

View solution in original post

Revered Legend

You can utilize in-built fields like date_wday to filter your events for just Thursday. Note that this field may not be present for all data sources. In that case you can create a date_wday field from _time using strftime function.

Influencer

Assuming that you need to run the search only for thursday's data

 index="" sourcetype="abc" earliest=@w4 latest=@w5

If you need to run the search every Thursday then you need to use cron_schedule.

As ppablo commented, if you can tell whether it is live or scheduled search then we can help in a better way

Influencer

If your log event is
2012-01-05,28.38,28.50,28.25,28.25,362800,2.48
and you have TIME_FORMAT properly defined in your props.conf file then follow the approach that wpreston has suggested.

Path Finder

Thank you for the doc reference! This is not a cron'd search. I'm parsing several years worth of data but I only want to return a specific day of the week.

Data format is as such:

2012-01-05,28.38,28.50,28.25,28.25,362800,2.48

Does earliest/latest require a conversion of the date to a day first?

Community Manager
Community Manager

Hi @jlkokko

If you're doing a live search, the following documentation on specifying time modifiers should be what you're looking for. (@strive's search will do the trick)
http://docs.splunk.com/Documentation/Splunk/6.1.2/Search/Specifytimemodifiersinyoursearch

If you're setting up a scheduled search, a cron schedule might make more sense.
http://docs.splunk.com/Documentation/Splunk/6.1.2/Report/Schedulereports#Specify_a_cron_schedule_for...

Community Manager
Community Manager

Hi @jlkokko

Are you trying do a live search or set up a scheduled search?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!