Splunk Search

No date_wday from U.F. collecting windows event logs

hartfoml
Motivator

I was collecting windows event logs using agent less Splunk server through remote WMI calls and the "sourcetype=WMI:WinEventLog:*" _raw data had a date format like this "20111020135801.037162"
Splunk indexed the data with the customary date formats to include date_wday

I have recently switched to U.F. collection and the locally collected and forwarded "sourcetype=WinEventLog:*" _raw data has a date format like this "10/20/11 2:08:42.000 PM" which does not include the date_wday.

I am assuming that this date format is preprocessed at the U.F. before sending.

Some of my reports are dependent on the day of the week because maintenance night is Wednesday.

How do I get date_wday and the others back into my U.F. “sourcetype=WinEventLog:*" data?

By the way, I am also collecting WMI data locally on the U.F. and the date format is not preprocessed at the U.F. so the date formats are derived correctly during indexing.

0 Karma
1 Solution

Ayn
Legend

This (unfortunately) seems to be more or less expected behaviour, as per the response received from support in this question: http://splunk-base.splunk.com/answers/30822/date_hour-not-present-in-wineventlogs

As you can see on the same page, there are workarounds you can use for getting date_wday in other ways instead.

View solution in original post

Ayn
Legend

This (unfortunately) seems to be more or less expected behaviour, as per the response received from support in this question: http://splunk-base.splunk.com/answers/30822/date_hour-not-present-in-wineventlogs

As you can see on the same page, there are workarounds you can use for getting date_wday in other ways instead.

hartfoml
Motivator

This is Great Stuff

Thanks

0 Karma

Ayn
Legend

For getting date_wday using strftime, use the %A directive. Like this:

... | eval date_wday = strftime(_time, "%A")

For more strftime directives, see for instance http://strftime.org/

hartfoml
Motivator

Ayn,

I saw your other post for date_hour. Could I trouble you to help with the code for date_wday. Pretty Please, Splunk Master!!!

Mike H.

0 Karma

hartfoml
Motivator

Thanks this was very helpful

0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...