topic Search for events after a certain time in Splunk Search

Search for events after a certain time

jboustead — Tue, 17 Nov 2020 17:02:56 GMT

Is it possible to run a search that will only include all the events for that day after a certain time? (using the time range picker to select the date only, so the time will be selected using the search query)

For example I am wanting the search to pick events after 8am for the day selected by the time range picker,

Re: Search for events after a certain time

inventsekar — Tue, 17 Nov 2020 17:34:49 GMT

Hi @jboustead ,
"using the time range picker to select the date only, so the time will be selected using the search query"

if your events got hour value as a separate field, then, with "where" command, it may be possible.

BUT that's a long and difficult route.

The earliest and latest offers all possible combinations of time/date we can ever imagine.

This example searches an index for the last 24 hours but omits any events returned from Midnight to 1:00 A.M., when downtime returns false log entries.

index=myindex ((earliest=-24h latest<@d) OR (earliest>=@d+1h))

This search specifies two time ranges:

24 hours before the search is run, up to midnight
The beginning of the day that the search is run, starting at 1 hour after midnight or 1:00 A.M.

https://docs.splunk.com/Documentation/SplunkCloud/8.1.2009/Search/Specifytimemodifiersinyoursearch

Re: Search for events after a certain time

richgalloway — Tue, 17 Nov 2020 17:35:44 GMT

If your events have the date_hour field (and it's reliable) then you can use it to filter events.

... | where date_hour >= 20 | ...

If you don't have that field then you can make your own.

... | eval date_hour = strftime(_time, "%H") | where date_hour >= 20