topic Re: how to retrieve one week data only between 6pm to 9pm in Dashboards & Visualizations

how to retrieve one week data only between 6pm to 9pm

mvaradarajam — Fri, 04 Jul 2014 13:10:44 GMT

Hi All,
how to retrieve one week data only between 6pm to 9pm.in 1 day span

monday--- 6pm-9pm
tuesday----6pm--9pm

like that?

Re: how to retrieve one week data only between 6pm to 9pm

kristian_kolb — Fri, 04 Jul 2014 13:44:21 GMT

Normally the retreival can be done like this;

index=bleh sourcetype=blah earliest=-7d date_hour>17 OR date_hour<21

Then you must figure out if/how you want to report on that data, i.e. making some statistics, graphs etc etc.

Re: how to retrieve one week data only between 6pm to 9pm

digdug — Sat, 05 Jul 2014 18:56:29 GMT

If you want to summarize data by day for events between 6pm and 9pm, this should get you started:

YOUR_BASIC_QUERY_HERE (date_hour>=18 AND date_hour<21) earliest=@w1 latest=@w6 | timechart span=1d count

Given your example, I assume you want results for Monday through Friday. If you wanted the full week, use earliest=@w0 latest=@w6+d.

Re: how to retrieve one week data only between 6pm to 9pm

Ayn — Sun, 06 Jul 2014 07:08:47 GMT

In addition to both these answers it's important to note that the date_* fields do NOT always exist in events. It only exists for events where the timestamp processor has parsed the timestamp. This is not the case for Windows event logs sent from a forwarder, for instance. If you want to make sure you always have the field date_hour, you could do something like this:

... | eval date_hour=strftime(_time,"%H") | ...