topic Re: exclude time range in splunk query in Splunk Search

exclude time range in splunk query

kirrusk — Tue, 01 Feb 2022 13:59:44 GMT

Hi,

I'm trying to exclude events from the time range.

from the above query trying to exclude Wednesday and in between 10 to 13, but it excludes all the day.
Can anyone have suggestions?

Have one more scenario,

need to exclude Monday and Wednesday particular hours.

gcusello — Tue, 01 Feb 2022 14:15:59 GMT

at first, probably, you don't need to use eval to have hour, minute, etc..., you should have date_hour, date_minute, etc...

Anyway, to exclude Wednesday and days of the mont between 10 and 13 (comprehensive of 10 and 13), you could use something like this:

index = _internal date_wday|="Wednesday " (date_mday<10 AND date_mday>13) | ...

Ciao.

Giuseppe

kirrusk — Tue, 01 Feb 2022 15:13:34 GMT

@gcusello date_wday not working properly, it's giving results with two days events (timestamps). So I'm using eval to take from _time

gcusello — Tue, 01 Feb 2022 15:53:01 GMT

what do you mean with "results with two days events (timestamps)." date_wday it's the same extraction than "| eval DayofWeek=strftime(_time,"%w")".

Anyway, yu can use your field evals and use my filter:

is this the real condition you want?

Ciao.

Giuseppe

gcusello — Tue, 08 Feb 2022 07:53:10 GMT

Hi good for you, see next time.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉