topic Re: How to exclude specific time ranges in search results in Getting Data In

How to exclude specific time ranges in search results

jedatt01 — Wed, 26 Mar 2014 14:50:20 GMT

I have a datasource which contains availability statistics from an application. I also have a predetermined maintenance schedule that occurs every two weeks on the same day and time. How can I use search to exclude the date/time ranges for my maintenance schedule in my search results?

Re: How to exclude specific time ranges in search results

somesoni2 — Wed, 26 Mar 2014 15:16:06 GMT

If do something like this

index=yourIndex| eval MaintEnd=strptime("2014/03/26 11:00:00 AM","%Y/%m/%d %H:%M:%S %p") | eval MaintStart=strptime("2014/03/26 10:50:00 AM","%Y/%m/%d %H:%M:%S %p") | where _time > MaintEnd OR _time < MaintStart

Re: How to exclude specific time ranges in search results

jedatt01 — Wed, 26 Mar 2014 15:33:50 GMT

That gets me closer. Now how can I specify a relative day, like every friday?

Re: How to exclude specific time ranges in search results

martin_mueller — Wed, 26 Mar 2014 15:37:38 GMT

If the maintenance window were every wednesday between 3am and 5am you could do this:

index=yourIndex NOT (date_wday=wednesday date_hour>=3 date_hour<5)

Then Splunk would not even load those events off disk - great if a lot of volume happens during maintenance.
However, I don't think there's a straightforward way of specifying "every other wednesday".

Re: How to exclude specific time ranges in search results

jiman7697 — Wed, 10 Apr 2019 17:12:15 GMT

If you're trying to detect a 0-event period excluding some outage window timeframe, here's a generic search you could use:

index=my_index sourcetype=my_sourcetype  my_filter_criteria_here
| timechart span=1m count 
| search count=0 
| where NOT (date_wday=="sunday" AND date_hour >= 0 AND date_hour < 4)

I'm doing the where clause after detecting 0-event minutes because if you initially filter by those windows, you'll see no events there. Obviously if you are looking for a certain event rather than monitoring for a void in events you can do that filter right in the first line of the search.
You'd have to add more to your where clause to specify bi-weekly windows.