topic Re: Filtering by 24h time in splunk in Splunk Search

Filtering by 24h time in splunk

priyangshupal — Wed, 15 Sep 2021 11:49:32 GMT

I have a field timeofevent which contains the time at which the event was logged in 24 hour format.

Format of timeofevent: HH:MM

I want only the events which were logged between 18:30 to 08:30 CST.

ITWhisperer — Wed, 15 Sep 2021 11:55:44 GMT

Try this

| where timeofevent>="18:30" OR timeofevent<="08:30"

priyangshupal — Wed, 15 Sep 2021 12:04:22 GMT

Shouldn't it be?

| where timeofevent>="18:30" AND timeofevent<="08:30"

ITWhisperer — Wed, 15 Sep 2021 12:10:31 GMT

Only if you want no results!

Splunk works on a pipeline of event, each event is processed separately, so an event cannot be both >18:30 and <08:30 at the same time

priyangshupal — Wed, 15 Sep 2021 12:24:15 GMT

By using

| where timeofevent>="18:30" OR timeofevent<="08:30"

it is returning all the events, even the ones which are outside of that timeframe

ITWhisperer — Wed, 15 Sep 2021 12:31:39 GMT

You probably need to convert the string to a number e.g. "18:30" becomes 1830 and "08:30" becomes 830

| eval timeofevent=tonumber(replace(timeofevent,":",""),10) | where timeofevent>=1830 OR timeofevent<=830