topic Re: How could I look only at a defined time span in real-time-search? in Splunk Search

How could I look only at a defined time span in real-time-search?

Felix82 — Mon, 12 Jul 2021 13:39:59 GMT

Hi,

I'm new in working with Splunk - I began to explore the program last monday...

I have the task to create a dashboard for visualizing the availibility of a machine. My working base: The machine data, additional disorder reports by workers (implemented by tablets) and the knowledge about the working times (monday till friday, 5.30am till 10.30pm).

Now I want to use the daily data in timerange from 5.30am till 10.30pm because the availibility should only represents the disorder times in relation to real working time. How could I do that without a specified date?

Many Thanks and Greetings from Germany,

Felix

Re: How could I look only at a defined time span in real-time-search?

michel_wolf — Mon, 12 Jul 2021 15:11:16 GMT

Hi Felix,

you need to extract these requirements from your date field to filter it. You can perform your search for example like index=.... earliest=-7d@d latest=now to get all your data from the last 7 days.

Then you can add something like this

| eval day=strftime(_time,"%u")
| search day IN (1 2 3 4 5)

| eval timestampStart="05:30:00"
| eval timestampEnd="22:30:00"
| eval timestampDate = strftime(_time,"%H:%M:%S")

| where timestampDate >= timestampStart AND timestampDate <= timestampEnd

Michel

Re: How could I look only at a defined time span in real-time-search?

Felix82 — Tue, 13 Jul 2021 06:09:08 GMT

Hi Michel,

thank you for sharing your experiences! It's so difficult and extensive to get an overview around all commands and functions... I will test your parameters then give you feedback.

Greetings,

Felix