Solved: want the current day of the week with now() then i...

MayankChandra · ‎08-23-2021

Need help :

I have a splunk query where i want to evaluate today (day of week) using now() and then use it to compare data for past 4 weeks for same day of week. if today is MOnday, i want to compare data for past 4 mondays with today.

ITWhisperer · ‎08-23-2021

| eval dow=strftime(now(),"%w")
| eval eventdow=strftime(_time,"%w")
| where dow=eventdow

View solution in original post

ITWhisperer · ‎08-23-2021

| eval dow=strftime(now(),"%w")
| eval eventdow=strftime(_time,"%w")
| where dow=eventdow

MayankChandra · ‎08-23-2021

@ITWhisperer One more question. If i want to evaluate yesterday and then perform the comparisons with same day of week (which yesterday evaluates to) with previous weeks what would be the query?

MayankChandra · ‎08-23-2021

@ITWhisperer

For yesterday or a day before the current day would the below be correct?

| eval yesterday = strftime(relative_time(now(), "-1d@d"), "%w")| eval eventdow=strftime(_time,"%w")| where yesterday=eventdow

ITWhisperer · ‎08-24-2021

Yes, that would be correct

MayankChandra · ‎08-23-2021

@ITWhisperer Thanks a ton!!

MayankChandra · ‎08-23-2021

sample queries for

Compare a day of the week to the same day of the previous weeks

MayankChandra · ‎08-23-2021

Can someone provide some examples?

want the current day of the week with now() then i want to use value to compare data for past 4 weeks for same DOW

eval

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)