https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-identify-events-based-on-timestamp/m-p/464258#M30509 <P>This would have been good to know originally.<BR /> All you can do is set the time picker for 30 days and use <CODE>where</CODE> to include events in the desired time range.</P> <PRE><CODE>... | eval hour = strptime ( strftime (_time, "%H"), "%H") | where (hour &gt;= 8 AND hour &lt; 10) OR (hour &gt;= 13 AND hour &lt; 15) OR (hour &gt;= 17 AND hour &lt; 19) </CODE></PRE> Wed, 01 Apr 2020 12:46:18 GMT richgalloway 2020-04-01T12:46:18Z https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-identify-events-based-on-timestamp/m-p/464255#M30506 <P>I am indexing a file 3 times a day in splunk. Timings are around 8:30 am , 1:30 pm and 5:15 pm these are not fixed timings as job generating the file is dependent on predecessor jobs and every day timings may vary a little bit. <BR /> Each time same job runs and produce data that i want to use to create a report but i want create a seperate report for all three runs.</P> <P>For example i want to make dashboard for 8:30 am run so events of 1:30 and 5:15 pm should not appear in the searchs for this dashboard. So i have to identify my events based on a timestamp range. </P> <P>Can someone help me out how can i identify events based on timestamps they indexed ?</P> Mon, 30 Mar 2020 13:47:38 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-identify-events-based-on-timestamp/m-p/464255#M30506 ravicheepa87 2020-03-30T13:47:38Z https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-identify-events-based-on-timestamp/m-p/464256#M30507 <P>Use relative time ranges. <CODE>earliest = @d+8h latest = @d+10h</CODE> for the first report, <CODE>earliest = @d+13h latest = @d+14h</CODE> for the second and <CODE>earliest = @d+17h latest = @d@19h</CODE> for the last.</P> Mon, 30 Mar 2020 14:49:57 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-identify-events-based-on-timestamp/m-p/464256#M30507 richgalloway 2020-03-30T14:49:57Z https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-identify-events-based-on-timestamp/m-p/464257#M30508 <P>Hi @richgalloway thanks for the suggestion but this will give me only today's time range. But i want events between 8am to 10 am over a range of 30 days. When i try earliest =-30d@d+8h Latest = @d+10h it gives me all event from 30th day 8am in past to 10 am today but i want events from between 8-10 am for each day in past 30 days.</P> Wed, 01 Apr 2020 06:27:55 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-identify-events-based-on-timestamp/m-p/464257#M30508 ravicheepa87 2020-04-01T06:27:55Z https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-identify-events-based-on-timestamp/m-p/464258#M30509 <P>This would have been good to know originally.<BR /> All you can do is set the time picker for 30 days and use <CODE>where</CODE> to include events in the desired time range.</P> <PRE><CODE>... | eval hour = strptime ( strftime (_time, "%H"), "%H") | where (hour &gt;= 8 AND hour &lt; 10) OR (hour &gt;= 13 AND hour &lt; 15) OR (hour &gt;= 17 AND hour &lt; 19) </CODE></PRE> Wed, 01 Apr 2020 12:46:18 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-identify-events-based-on-timestamp/m-p/464258#M30509 richgalloway 2020-04-01T12:46:18Z https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-identify-events-based-on-timestamp/m-p/464259#M30510 <P>Hi Rich,</P> <P>Thanks it's working now but it's wroking with below code:<BR /> eval hour=strftime(_time,"%H") | where (hour &gt;= 7 AND hour &lt; 10) . I am getting hour as spaces if i use strptime function as mentioned by you.</P> Thu, 02 Apr 2020 05:31:43 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-identify-events-based-on-timestamp/m-p/464259#M30510 ravicheepa87 2020-04-02T05:31:43Z