https://community.splunk.com/t5/Splunk-Search/events-since-a-certain-time-1700-in-the-previous-business-day/m-p/94844#M182445 <P>Maybe I'm reading too much into his question, but i don't think that solves his problem. He wants to return any results after 17:00 yesterday until the present (or any specific time)... unless the search is run 17:00-23:59:59 today. In that case, return today's results from after 17:00.</P> Fri, 11 Oct 2013 20:30:36 GMT twinspop 2013-10-11T20:30:36Z https://community.splunk.com/t5/Splunk-Search/events-since-a-certain-time-1700-in-the-previous-business-day/m-p/94841#M182442 <P>We have a deadline on a business day after which we cannot place orders (events). This is 1700 hrs. </P> <P>I would like to pick up certain events from this deadline until now. So similar to 10PM last night from the documentation. </P> <P>@d-2h Snap to the beginning of today (12AM) and subtract 2 hours from that time. 10PM last night.</P> <P>@d-7h would will not pick up the new value after now is 1700 hrs. At 1701 it should be searching from 1700 today and not 1700 the previous business day.</P> Fri, 11 Oct 2013 15:49:31 GMT https://community.splunk.com/t5/Splunk-Search/events-since-a-certain-time-1700-in-the-previous-business-day/m-p/94841#M182442 owainmcguire 2013-10-11T15:49:31Z https://community.splunk.com/t5/Splunk-Search/events-since-a-certain-time-1700-in-the-previous-business-day/m-p/94842#M182443 <P>That's trickier than it seems at first glance. This is my first run at it. Hopefully there's a more elegant solution.</P> <PRE><CODE>earliest=@d-7h latest=@d+17h | eval newday=0 | append [search earliest=@d+17h latest=+1d@d | eval newday=1 ] | eventstats latest(newday) as newdaytest | table _time field field1 field2 fieldN newday newdaytest | where newday=newdaytest </CODE></PRE> <P>So run 2 searches. One has the time from 17h last night to 17h today. The other is 17h today to midight. Eval a new field in each search so we can ID which results belong to which. Then compare the latest returned result's ID. Return only those results that have the same.</P> Fri, 11 Oct 2013 16:27:45 GMT https://community.splunk.com/t5/Splunk-Search/events-since-a-certain-time-1700-in-the-previous-business-day/m-p/94842#M182443 twinspop 2013-10-11T16:27:45Z https://community.splunk.com/t5/Splunk-Search/events-since-a-certain-time-1700-in-the-previous-business-day/m-p/94843#M182444 <P>See <A href="http://answers.splunk.com/answers/69820/search-to-only-include-business-hours-and-exclude-weekends">this</A> question. The answer from lguinn should account for what you need.</P> Fri, 11 Oct 2013 17:48:48 GMT https://community.splunk.com/t5/Splunk-Search/events-since-a-certain-time-1700-in-the-previous-business-day/m-p/94843#M182444 wpreston 2013-10-11T17:48:48Z https://community.splunk.com/t5/Splunk-Search/events-since-a-certain-time-1700-in-the-previous-business-day/m-p/94844#M182445 <P>Maybe I'm reading too much into his question, but i don't think that solves his problem. He wants to return any results after 17:00 yesterday until the present (or any specific time)... unless the search is run 17:00-23:59:59 today. In that case, return today's results from after 17:00.</P> Fri, 11 Oct 2013 20:30:36 GMT https://community.splunk.com/t5/Splunk-Search/events-since-a-certain-time-1700-in-the-previous-business-day/m-p/94844#M182445 twinspop 2013-10-11T20:30:36Z https://community.splunk.com/t5/Splunk-Search/events-since-a-certain-time-1700-in-the-previous-business-day/m-p/94845#M182446 <P>I would advise using the date_* metadata, should make your life a lot easier.</P> <PRE><CODE>index=_internal earliest=-1d@d [ | stats count | eval date_mday=strftime(now(), "%d") | fields date_mday] OR date_hour &gt;16 </CODE></PRE> <P>The subsearch gets today's date_mday value, and the OR will include stuff from yesterday from 17:00 on.</P> Fri, 11 Oct 2013 21:37:56 GMT https://community.splunk.com/t5/Splunk-Search/events-since-a-certain-time-1700-in-the-previous-business-day/m-p/94845#M182446 araitz 2013-10-11T21:37:56Z