topic Re: search command for work time in Splunk Search

search command for work time

shirolu — Thu, 06 May 2010 16:08:29 GMT

i have one question I want to search time Daily from 9 am to 6:00 pm How can to use search command ?

Thank you for your help

Re: search command for work time

shirolu — Thu, 06 May 2010 18:44:49 GMT

hi ~ chris Thank you for your help if everyday starttime 09:00:00 to endtime 18:0:00 How to use this search command

Re: search command for work time

shirolu — Thu, 06 May 2010 21:36:09 GMT

hi ~ chris

I understand your explanation

Thanks for your help

Re: search command for work time

sajbutler — Fri, 07 May 2010 11:59:46 GMT

You can use relative time modifiers in your search term. For your specific question, for a work day of 9am to 6pm, you could specify the following:

earliest=@d+9h latest=@d+18h

Re: search command for work time

sideview — Sun, 09 May 2010 23:54:03 GMT

If you want to search just one particular day, between 9am and 6pm, do as some others have suggested here and use the relative time syntax:

In the TimeRangePicker pulldown, choose 'Custom time', then 'advanced', then in the two form fields that come up, enter on the left side:

@d+9h

and enter on the right side

@d+18h

However you have said you want to search this timerange every day. Someone else here has interpreted this to mean you want to run this search once every day as an alert.

However you can search over several days or more but restrict your results to just events during working hours by using the date_hour field like this:

<your search> date_hour>9 date_hour<18

This search can then be run over any timerange (like current business week), and it will match only events that occurred during working hours within that timerange.

More docs and examples about time range arguments can be found here: http://www.splunk.com/base/Documentation/4.1.2/User/ChangeTheTimeRangeOfYourSearch

Re: search command for work time

sideview — Sun, 09 May 2010 23:57:48 GMT

Can you clarify whether you want to a) run your search once per day, and have it search over events from that particular workday, or b) run your search over several days and only match events between 9am and 6pm on those days. Both are possible and both paths are outlined in the answers below

Re: search command for work time

sideview — Sun, 09 May 2010 23:59:07 GMT

it's much better to edit your original question or comment on someone's answer. Posting a comment as an answer to your own question is a little weird - its best to delete this.

Re: search command for work time

Lowell — Wed, 12 May 2010 03:23:26 GMT

Keep in mind that this is a new feature in Splunk 4.1.

Re: search command for work time

jumpe1414 — Wed, 21 Jul 2010 21:42:37 GMT

No answer here - I have the same question. I changed the date range through the custom time dropdown box and that works. It gives me events in the correct date range, but not the correct time range. I then added the modifiers below to the query and I get no results.

date_hour>9 date_hour<18

Any suggestions? Trying to limit my search to the previous 5 days between 5am and 9am. I can get the previous 5 days through the dropdown box but I am unable to limit the time range.