Splunk Search

want the current day of the week with now() then i want to use value to compare data for past 4 weeks for same DOW

MayankChandra
Engager

Need help :

 

I have a splunk query where i want to evaluate today (day of week) using now() and then use it to compare data for past 4 weeks for same day of week. if today is MOnday, i want to compare data for past 4 mondays with today.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| eval dow=strftime(now(),"%w")
| eval eventdow=strftime(_time,"%w")
| where dow=eventdow

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval dow=strftime(now(),"%w")
| eval eventdow=strftime(_time,"%w")
| where dow=eventdow
0 Karma

MayankChandra
Engager

@ITWhisperer One more question. If i want to evaluate yesterday and then perform the comparisons with same day of week (which yesterday evaluates to) with previous weeks what would be the query?

0 Karma

MayankChandra
Engager

@ITWhisperer 

For yesterday or a day before the current day would the below be correct?

| eval yesterday = strftime(relative_time(now(), "-1d@d"), "%w")| eval eventdow=strftime(_time,"%w")| where yesterday=eventdow

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Yes, that would be correct

0 Karma

MayankChandra
Engager

@ITWhisperer Thanks a ton!!

0 Karma

MayankChandra
Engager

sample queries for 

Compare a day of the week to the same day of the previous weeks

0 Karma

MayankChandra
Engager

Can someone provide some examples?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...