topic Re: Search a particular time of day across multiple days in Splunk Search

Search a particular time of day across multiple days

sambiggins — Wed, 25 Sep 2013 18:51:51 GMT

Hello,

I'm trying to map out usage by time of day:

Morning (6am-8am)
Day Off Peak (8am-6pm)
Prime Time (6pm-11pm)
Night Off Peak (11pm-6am)

I'd like to be able to count events in these time slots across multiple days (for example a count of events in the last week that occurred during the Morning time slot).

Looking at the earliest and latest command, I don't see a way to snap that on a moving basis. Something like earliest=@d+6h latest=@d+8h for last seven days. Is there another way?

Thanks in advance!

Re: Search a particular time of day across multiple days

yannK — Wed, 25 Sep 2013 20:03:39 GMT

You can use an eval function (or an automatic calculated field) based on "date_hour" to identify the time of the day.

Then use it as a condition over several days.

example of number of events per day per timeofday.

* | eval timeofday=case(date_hour>=6 AND date_hour<8,"Morning", date_hour>=8 AND date_hour<18,"Day Off Peak", date_hour>=18 AND date_hour<23,"Prime Time", date_hour>=23 OR date_hour<6,"Night Off Peak", 1=1,"error") | timechart span=1d count by timeofday

Re: Search a particular time of day across multiple days

sambiggins — Wed, 25 Sep 2013 20:18:56 GMT

Perfect, thanks!

Re: Search a particular time of day across multiple days

kristian_kolb — Wed, 25 Sep 2013 20:19:01 GMT

Have you looked at the date_* fields? They are automatically extracted for most types of log files, but not all. The timestamp in your event is used for determining the the time the event should be indexed under, but it is also broken down into the date_* fields, e.g. date_wday, date_mday, date_hour etc.

If you live in an area where a 12-hour time notation is used in the event timestamps, this is somewhat less useful, and you might be better off by manually extracting the relevant part out of the _time field (in the 24-hour notation).

...| eval hr = strftime(_time, "%H") 
| eval slot = "Night Off Peak" 
| eval slot = case((hr > 5 AND hr < 8), "Morning", (hr > 7 AND hr < 18), "Day Off Peak", (hr > 17 AND hr < 23), "Prime Time") 
| timechart span=1d count by slot

The first eval (hr) will get the hour (0-23) from the timestamp. The second eval will just set a default value for the slot field. The third eval will override the value of slot for specific values of hr.

Hope this helps,

Kristian

Re: Search a particular time of day across multiple days

kristian_kolb — Wed, 25 Sep 2013 20:19:47 GMT

dammit!!

🙂

Re: Search a particular time of day across multiple days

yannK — Wed, 25 Sep 2013 20:27:51 GMT

too slow little grasshopper 🙂

Re: Search a particular time of day across multiple days

sambiggins — Wed, 25 Sep 2013 21:53:19 GMT

The answer above was the first I'd seem them. Quite handy! Thanks for chiming in 🙂

Re: Search a particular time of day across multiple days

DBattisto — Wed, 19 Sep 2018 16:23:30 GMT

This is exactly what I was looking for. Thanks!

Re: Search a particular time of day across multiple days

MayankChandra — Wed, 15 Sep 2021 17:42:59 GMT

Hi All, I need daily counts of events between 9PM (lets say yesterday) to 5 AM (today), this pattern i need for last 30 days. Could you please let me know what should be my search.

I am trying this but it returns nothing:

eventtype=eks_prd_logs sourcetype="kube:container:*crs-maint" earliest=-31@d latest=-1@d (date_hour > 21 AND date_hour < 5)

Can someone help asap.

Re: Search a particular time of day across multiple days

yoshileigh66 — Tue, 07 Nov 2023 19:01:57 GMT

This is years later but I'm hoping someone will be able to answer and see this. What is the 1=1, "error" referring to? I understand that if 1=1, then that adds one to "error", but that's the extent of my understanding.