_time is different than timestamp in events, searching by business hours

brandonbachman — Wed, 03 Jul 2019 23:15:18 GMT

I have events that with timestamp fields that look like this:

date="6/21/2019 6:50:49 PM"

How do I change my search so that only events during business hours appear? I only want events with timestamps between 6am and 6pm.

I have tried the following:

eval date_hour=strftime(_time, "%w") | search date_hour>=6 date_hour<=18

But the _time field is listed is this

6/21/19
10:51:09.000 AM

As you can see the _time field is about 8 hours earlier than the timestamp in my event and when I search using the _time field, my results are off by 8 hours.

Is there a way to search using the timestamps in my events rather than the _time field? Or can I adjust the _time field to increase by 8 hours so the hours match?

Re: _time is different than timestamp in events, searching by business hours

richgalloway — Thu, 04 Jul 2019 01:50:15 GMT

The time picker only considers _time. You can, however, search for other time fields. Here's one way, but I'm sure there are others.

index=foo | eval ts=strptime(date,"%m/%d/%Y %H:%M:%S %p") 
| eval start=relative_time(ts,"@d+6h"), end=relative_time(ts,"@d+18h")
| search ts>=start AND ts<end

topic _time is different than timestamp in events, searching by business hours in Splunk Search

_time is different than timestamp in events, searching by business hours

Re: _time is different than timestamp in events, searching by business hours