https://community.splunk.com/t5/Splunk-Search/How-to-get-total-count-of-events-excluding-specific-time-range/m-p/481574#M134967 <P>Can you please try this in place of your "where" expression?</P> <PRE><CODE>| where NOT (date_wday="monday" AND date_hour&gt;=16 AND date_hour&lt;18) AND NOT (date_wday="wednesday" AND date_hour&gt;=18 AND date_hour&lt;20) </CODE></PRE> <P>And why do you have "by events" at the end?</P> Mon, 16 Sep 2019 17:25:31 GMT jpolvino 2019-09-16T17:25:31Z https://community.splunk.com/t5/Splunk-Search/How-to-get-total-count-of-events-excluding-specific-time-range/m-p/481573#M134966 <P>Can anyone please help?</P> <P>I want to display the total count of events occurred in a week (but excluding specific day/time i.e. exclude 04-06 PM for Monday and 06-08 PM for Wednesday)</P> <P>I am running below search, but it doesn't seem to be excluding the counts for specific time because if I am trying to remove the excluding condition, I am still getting the same results.</P> <PRE><CODE>sourcetype=web_server events IN ("GET", "Delete") | eval myHour=strftime(_time, "%H") | eval myMinute=strftime(_time, "%M") | eval day_of_week = strftime(_time,"%A") | where NOT ( (day_of_week = "Monday" AND myHour= 4 AND myMinute&gt;=0) OR (day_of_week = "Monday" AND myHour=5) OR (day_of_week = "Monday" AND myHour=6 AND myMinute&lt;=59) OR (day_of_week = "Wednesday" AND myHour= 6 AND myMinute&gt;=0) OR (day_of_week = "Wednesday" AND myHour=7) OR (day_of_week = "Wednesday" AND myHour=8 AND myMinute&lt;=59)) | stats count as Total_events avg(duration) as Duration_of_events by events </CODE></PRE> Mon, 16 Sep 2019 16:25:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-total-count-of-events-excluding-specific-time-range/m-p/481573#M134966 sahil237888 2019-09-16T16:25:10Z https://community.splunk.com/t5/Splunk-Search/How-to-get-total-count-of-events-excluding-specific-time-range/m-p/481574#M134967 <P>Can you please try this in place of your "where" expression?</P> <PRE><CODE>| where NOT (date_wday="monday" AND date_hour&gt;=16 AND date_hour&lt;18) AND NOT (date_wday="wednesday" AND date_hour&gt;=18 AND date_hour&lt;20) </CODE></PRE> <P>And why do you have "by events" at the end?</P> Mon, 16 Sep 2019 17:25:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-total-count-of-events-excluding-specific-time-range/m-p/481574#M134967 jpolvino 2019-09-16T17:25:31Z https://community.splunk.com/t5/Splunk-Search/How-to-get-total-count-of-events-excluding-specific-time-range/m-p/481575#M134968 <P>try this and see if it works for you:</P> <PRE><CODE>index=&lt;YOUR_INDEX_HERE&gt; sourcetype=web_server events IN ("GET", "Delete") | eval myHour=strftime(_time, "%H") | eval myMinute=strftime(_time, "%M") | eval day_of_week = strftime(_time,"%A") | eval i_care_about_it = if((day_of_week="Monday" AND myHour=4 AND myMinute&gt;=0) OR (day_of_week="Monday" AND myHour=5) OR (day_of_week="Monday" AND myHour=6 AND myMinute&lt;=59) OR (day_of_week="Wednesday" AND myHour=6 AND myMinute&gt;=0) OR (day_of_week="Wednesday" AND myHour=7) OR (day_of_week="Wednesday" AND myHour=8 AND myMinute&lt;=59),"false","true") | stats count by i_care_about_it day_of_week myHour myMinute </CODE></PRE> <P>hope it helps</P> Mon, 16 Sep 2019 17:46:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-total-count-of-events-excluding-specific-time-range/m-p/481575#M134968 adonio 2019-09-16T17:46:17Z